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Abstract. Escape analysis of object-oriented languages approximates the set of 
objects which do not escape from a given context. If we take a method as context, the 
i— l ■ non-escaping objects can be allocated on its activation stack; if we take a thread, Java 

synchronisation locks on such objects are not needed. In this paper, we formalise a 
basic escape domain £ as an abstract interpretation of concrete states, which we then 
refine into an abstract domain £1Z which is more concrete than £ and, hence, leads to 
a more precise escape analysis than £. We provide optimality results for both £ and 
£1Z, in the form of Galois insertions from the concrete to the abstract domains and of 
optimal abstract operations. The Galois insertion property is obtained by restricting 
the abstract domains to those elements which do not contain garbage, by using an 
abstract garbage collector. Our implementation of £1Z is hence an implementation 
of a formally correct escape analyser, able to detect the stack allocatable creation 
points of Java (bytecode) applications. 

This report contains the proofs of results of a paper with the same title and 
authors and to be published in the Journal Higher-Order Symbolic Computation. 
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1. Introduction 

o ■ 

Escape analysis identifies, at compile-time, some run-time data struc- 
q , tures which do not escape from a given context, in the sense that they 

are not reachable anymore from that context. It has been studied for 
functional [24, 13, 4] as well as for object-oriented languages [27, 1, 
6, 36, 14, 26, 32, 25, 28, 34, 5, 8, 35]. It allows one to stack allocate 
dynamically created data structures which would normally be heap al- 
located. This is possible if these data structures do not escape from the 
method which created them. Stack allocation reduces garbage collection 
overhead at run-time w.r.t. heap allocation, since stack allocated data 
structures are automatically deallocated when methods terminate. If, 
moreover, such data structures do not occur in a loop and their size is 
statically determined, they can be preallocated on the activation stack, 
which further improves the efficiency of the code. In the case of Java, 
which uses a mutual exclusion lock for each object in order to synchro- 
nise accesses from different threads of execution, escape analysis allows 

© 2008 Kluwer Academic Publishers. Printed in the Netherlands. 



main.tex; 1/02/2008; 21:23; p.l 



2 



one also to remove unnecessary synchronisations, thereby making run- 
time accesses faster. By removing the space for the mutual exclusion 
lock associated with some of the objects, escape analysis can also help 
with space constraints. To this purpose, the analysis must prove that 
an object is accessed by at most one thread. This is possible if the 
object does not escape its creating thread. 

1.1. Contributions of Our Work 

This paper presents two escape analyses for Java programs. The goal 
of both analyses is to detect objects that do not escape (i.e., are un- 
reachable from outside) a certain scope. This information can later be 
used to stack-allocate captured (i.e., non-escaping) objects. 

Both analyses use the object allocation site model: all objects allo- 
cated at a given program point (possibly in a loop) are modelled by the 
same creation point. The first analysis, based on the abstract domain 
£ , expresses the information we need for our stack allocation. Namely, 
for each program point, it provides an over-approximation of the set 
of creation points that escape because they are transitively reachable 
from a set of escapability roots (i.e., variables including parameters, 
static fields, method result). The domain £ does not keep track of other 
information such as the creation points pointed to by each individual 
variable or field. 

Although £ is the property neede for stack allocation, a static analy- 
sis based on £ is not sufficiently precise as it does not relate the creation 
points with the variables and fields that point to them. We therefore 
consider a refinement £1Z of £ that preserves this information and also 
includes £ so that £1Z contains just the minimum information needed 
for stack allocation. 

Both analyses are developed in the abstract interpretation frame- 
work [10, 11], and we present proofs that the associated transfer func- 
tions are optimal with respect to the abstractions that are used by each 
analysis i.e., they make the best possible use of the abstract information 
expressed by the abstract domains. 

To increase the precision of the two analyses and to get a Galois 
insertion, rather than a Galois connection, both analyses use local vari- 
able scoping and type information. Hence, the abstract domains contain 
no spurious element. We achieve this goal through abstract garbage col- 
lectors which remove some elements from the abstract domains when- 
ever they reflect unreachable (and hence, for our analysis, irrelevant) 
portions of the run-time heap, as also [8] does, although [8] does not re- 
late this to the Galois insertion property. Namely, the abstract domains 
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are exactly the set of fixpoints of their respective abstract garbage 
collectors and, hence, do not contain spurious elements. 

The contribution of this paper is a clean construction of an escape 
analysis through abstract interpretation thus obtaining formal and de- 
tailed proofs of correctness as well as optimality. Optimality states that 
the abstract domains are related to the concrete domain by a Galois in- 
sertion, rather than just a connection and in the use of optimal abstract 
operations. Precision and efficiency of the analysis are not the main 
issues here, although we are pleased to see that our implementation 
scales to relatively large applications and compares well with some 
already existing and more precise escape analyses (Section 6). 

1.2. The Basic Domain £ 

Our work starts by defining a basic abstract domain £ for escape anal- 
ysis. Its definition is guided by the observation that a creation point 
7r occurring in a method m can be stack allocated if the objects it 
creates are not reachable at the end of m from a set of variables E 
which includes m's return value, the fields of the objects bound to its 
formal parameters at call-time (including the implicit this parameter) 
and any exceptions thrown by m. Note that we consider the fields of 
the objects bound to the formal parameters at call-time since they 
are aliases of the actual arguments, and hence still reachable when 
the method returns. For a language, such as Java, which allows static 
fields, E also includes the static fields. Variables with integer type are 
not included in E since no object can be reached from an integer. 
Moreover, local variables are also not included in E since local variables 
accessible inside a method m will disappear once m terminates. The 
basic abstract domain £ is hence defined as the collection of all sets of 
creation points. Each method is decorated with an element of £ , which 
contains precisely the creation points of the objects reachable from the 
variables in E at the end of the method. 

Example 1 See journal version of this paper. 

We still have to specify how this decoration is computed for each 
method. We use abstract interpretation to propagate an input set of 
creation points through the statements of each method, until its end is 
reached. This is accomplished by defining a transfer function for every 
statement of the program which, in terms of abstract interpretation, 
is called an abstract operation (see Section 4 and Figure 9). The el- 
ement of £ resulting at the end of each method is then restricted to 
the appropriate set E for that method through an abstract operation 
called restrict. By applying the theory of abstract interpretation, we 
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know that this restriction is a conservative approximation of the actual 
decoration we need at the end of each method. 

Example 2 See journal version of this paper. 

The problem here is that although the abstract domain £ expresses 
the kind of decoration we need for stack allocation, £ has very poor 
computational properties. In terms of abstract interpretation, it in- 
duces very imprecise abstract operations and, just as in the case of the 
basic domain Q for groundness analysis of logic programs [20] , it needs 
refining [15, 29]. 

We formalise the fact that the approximation in £ can shrink, by 
means of an abstract garbage collector (Definition 25) i.e., a garbage 
collector that works over sets of creation points instead of concrete ob- 
jects. When a variable's scope is closed, the abstract garbage collector 
removes from the approximation of the next statement all creation 
points which can only be reached from that variable. The name of 
abstract garbage collector is justified by the fact that this conservatively 
maintains in the approximation the creation points of the objects which 
might be reachable in the concrete state, thus modeling in the abstract 
domain a behaviour similar to that of a concrete garbage collector. 
It must be noted, however, that our abstract garbage collector only 
considers reachability from the variables in scope in the current method, 
while a concrete garbage collector would consider reachability from all 
variables in the current activation stack. 

1.3. The Refinement £TZ 

The abstract domain £ represents the information we need for stack 
allocation, but it does not include any other related information that 
may improve the precision of the abstract operations, such as explicit 
information about the creation points of the objects bound to a given 
variable or field. However, the ability to reason on a per variable basis 
is essential for the precision of a static analysis of imperative languages, 
where assignment to a given variable or field is the basic computational 
mechanism. So we refine £ into a new abstract domain £1Z which splits 
the sets of creation points in £ into subsets, one for each variable or 
field. We show that £1Z strictly contains £ , justifying the name of 
refinement. 

We perform a static analysis based on £1Z exactly as for £ but using 
the abstract operations for the domain £1Z given in Section 5 (see 
Figure 10). 

Example 3 See journal version of this paper. 
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The domain £1Z can hence be seen as the specification of a new 
escape analysis, which includes £ as its foundational kernel. Example 3 
shows that the abstract domain £1Z is actually more precise than £ . Our 
implementation of £1Z (Section 6) shows that it can actually be used 
to obtain non-trivial escape analysis information for Java bytecode. 

1.4. Structure of the Paper 

After a brief summary of our notation and terminology in Section 2, we 
pass in Section 3 to recall the framework of [31] on which the analysis 
is based. Then, in Section 4, we formalise our basic domain £ and 
provide suitable abstract operations for its analysis. We show that the 
analysis induced by £ is very imprecise. Hence, in Section 5 we refine 
the domain £ into the more precise domain £1Z for escape analysis. In 
Section 6, we discuss our prototype implementation and experimental 
results. Section 7 discusses related work. Section 8 concludes the main 
part of the paper. 

Preliminary, partial versions of this paper appeared in [17] and [18]. 
The current paper is a seamless fusion of these papers, with the proofs 
of the theoretical results and with a description and evaluation of the 
implementation of the escape analysis over the domain £1Z. 

2. Preliminaries 

A total (partial) function / is denoted by i— > (— The domain {range) 
of / is dom(/) (rng(/)). We denote by [v\^t\,... , v n i— ► t n ] the func- 
tion / where dom(/) = {v\, . . . ,v n } and = U for % = l,...,n. 
Its update is f[w\ i— > di,...,w m t— > d m ], where the domain may be 
enlarged. By /| s (/|- s ) we denote the restriction of / to s C dom(/) (to 
dom(/) \ s). If / and g are functions, we denote by fg the composition 
of / and g, such that fg(x) = f(g(x)). If f(x) = x then x is a fixpoint 
of /. The set of fixpoints of / is denoted by fp(/). 

A pair of elements is written a* b. A definition of a pair S such 
as S = a-kb, with a and b met a- variables, silently defines the pair 
selectors s.a and s.b for s £ S. The cardinality of a set S is denoted 
by #S. The disjoint union of two sets S, T is denoted by S + T. To 
simplify expressions, particulary when the set is used as a subscript, we 
sometimes write a singleton set {x} as x. If S is a set and < is a partial 
relation over S, we say that S is a partial ordering if it is reflexive 
(s < s for every s € S), transitive (s± < S2 and S2 < S3 entail s\ < S2 
for every s±, S2, S3 £ S) and anti-symmetric (si < S2 and S2 < s\ entail 
si = S2 for every si, S2 € S 1 ). If 5 is a set and < a partial ordering on 
S 1 , then the pair S 1 * < is a poset. 
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A complete lattice is a poset C ★ < where least upper bounds (lub) 
and greatest lower bounds (gib) always exist. Let C*< and be 
posets and f : C ^ A. We say that / is monotonic if ci < C2 entails 
/(ci) ^ /( c 2)- It is (co-)additive if it preserves lub's (gib's). Let / : 
A I— > A The map / is reductive (respectively, extensive) if /(a) ■< a 
(respectively, a ^ f(a)) for any a € A. It is idempotent if /(/(a)) = 
/(a) for any a G A It is a tower closure operator (Ico) if it is monotonic, 
reductive and idempotent. 

We recall now the basics of abstract interpretation [10, 11]. Let C* < 
and ^4*^1 be two posets (the concrete and the abstract domain). A 
Galois connection is a pair of monotonic maps a: C ^ A and ^ : A^> 
C such that 7a is extensive and 07 is reductive. It is a Galois insertion 
when 07 is the identity map i.e., when the abstract domain does not 
contain useless elements. If C and A are complete lattices and a is strict 
and additive, then a is the abstraction map of a Galois connection. If, 
moreover, a is onto or 7 is one-to-one, then a is the abstraction map of 
a Galois insertion. In a Galois connection, 7 can be defined in terms of a 
as 7(a) = U{c I a(c) ■< a}, where U is the least upper bound operation 
over the concrete domain C. Hence, it is enough to provide a to define 
a Galois connection. An abstract operator / : A n 1— ► A is correct w.r.t. 
f : C n — ► C if a/7 -< /. For each operator /, there exists an optimal 
(most precise) correct abstract operator / defined as / = a/7. This 
means that / does the best it can with the information expressed by 
the abstract domain. The composition of correct operators is correct. 
The composition of optimal operators is not necessarily optimal. The 
semantics of a program is the fixpoint of a map / : C 1— ► C, where 
C is the computational domain. Its collecting version [10, 11] works 
over properties of C i.e., over p{C) and is the fixpoint of the powerset 
extension of /. If / is defined through suboperations, their powerset 
extensions and U (which merges the semantics of the branches of a 
conditional) induce the extension of /. 



3. The Framework of Analysis 

The framework presented here is for a simple typed object-oriented 
language where the concrete states and operations are based on [31]. 
It allows us to derive a compositional, denotational semantics, which 
can be seen as an analyser, from a specification of a domain of ab- 
stract states and operations which work over them (hence called state 
transformers). Then problems such as scoping, recursion and name 
clash can be ignored, since these are already solved by the semantics. 
Moreover, this framework relates the precision of the analysis to that 
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of its abstract domain so that traditional techniques for comparing the 
precision of abstract domains can be applied [9, 10, 11]. 

The definition of a denotational semantics, in the style of [37], by 
using the state transformers of this section can be found in [31]. Here 
we only want to make clear some points: 

— We allow expressions to have side-effects, such as method call 
expressions, which is not the case in [37]. As a consequence, the 
evaluation of an expression from an initial state yields both a final 
state and the value of the expression. We use a special variable res 
of the final state to hold this value; 

— The evaluation from an initial state o\ of a binary operation such 
as ei + e2, where e± and e-2 are expressions, first evaluates e± from 
<Ji, yielding an intermediate state 02, and then evaluates e<i from 
o"2, yielding a state 03. The value v\ of res in 02 is that of e±, and 
the value v 2 of res in 03 is that of e2 . We then modify 03 by storing 
in res the sum v\ + v<i- This yields the final state. Note that the 
single variable res is enough for this purpose. The complexity of 
this mechanism w.r.t. a more standard approach [37] is, again, a 
consequence of the use of expressions with side-effects; 

— Our denotational semantics deals with method calls through in- 
terpretations: an interpretation is the input /output behaviour of 
a method, and is used as its denotation whenever that method 
is called. As a nice consequence, our states contain only a single 
frame, rather than an activation stack of frames. This is standard 
in denotational semantics and has been used for years in logic 
programming [7]. 

— The computation of the semantics of a program starts from a bot- 
tom interpretation which maps every input state to an undefined 
final state and then updates this interpretation with the denota- 
tions of the methods body. This process is iterated until a fixpoint 
is reached as is done for logic programs [7]. The same technique 
can be applied to compute the abstract semantics of a program, 
but the computation is performed over the abstract domain. It 
is also possible to generate constraints which relate the abstract 
approximations at different program points, and then solve such 
constraints with a fixpoint engine. The latter is the technique that 
we use in Section 6. 

3.1. Programs and Creation Points 

We recall here the semantical framework of [31]. 
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Definition 4 (Type Environment) Each program in the language 
has a finite set of identifiers Id such that out, this € Id and a finite set 
of classes K, ordered by a subclass relation < such that /C * < is a poset. 
Let Type = {int} i±l/C and < be extended to Type by defining int < int. 
Let Vars C Id be a set of variables such that {out, this} C Vars. A 
type environment for a program is any element of the set 

TypEnv = {r : Vars —> Type | if this € dom(r) then r(this) G K. } . 

In the following, r will implicitly stand for a type environment. 

A class contains local variables {fields) and functions (methods). A 
method has a set of input / output variables called parameters, including 
out, which holds the result of the method, and this, which is the 
object over which the method has been called (the receiver of the call). 
Methods returning void are represented as methods returning an int 
of constant value 0, implicitly ignored by the caller of the method. 

Example 5 See journal version of this paper. 

Fields is a set of maps which bind each class to the type environment 
of its fields. The variable this cannot be a field. Methods is a set of 
maps which bind each class to a map from identifiers to methods. Pars 
is a set of maps which bind each method to the type environment of 
its parameters (its signature). 

Definition 6 (Field, Method, Parameter) Let M be a finite set 
of methods. We define 

Fields = {F : K h-> TypEnv | this ^ dom(F(K)) for every k£/C) 
Methods = K, ^ (Id -» M) 

Pars = {P : M ^ TypEnv \ {out, this} C dom(P(z^)) for v € M}. 

The static information of a program is used by the static analyser. 

Definition 7 (Static Information) The static information of a pro- 
gram consists of a poset 1C* <, a set of methods M. and maps F € 
Fields, M <E Methods and P <G Pars. 

Fields in different classes but with the same name can be disam- 
biguated by using their fully qualified name such as in the Java Virtual 
Machine [21]. For instance, we write Circle. x for the field x of the class 
Circle. 

Example 8 See journal version of this paper. 
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The only points in the program where new objects can be created 
are the new statements. We require that each of these statements is 
identified by a unique label called its creation point. 

Definition 9 (Creation Point) Let U be a finite set of labels called 
creation points. A map k : II i— ► /C relates every creation point n G II 
with the class k(w) of the objects it creates. 

Example 10 See journal version of this paper. 



3.2. Concrete States 



To represent the concrete state of a computation at a particular pro- 
gram point we need to refer to the concrete values that may be assigned 
to the variables. Apart from the integers and null, these values need 
to include locations which are the addresses of the memory cells used 
at that point. Then the concrete state of the computation consists of a 
map that assigns type consistent values to variables (frame) and a map 
from locations to objects (memory) where an object is characterised by 
its creation point and the frame of its fields. Hence the notion of object 
that we use here is more concrete than that in [31], which relates a 
class rather than a creation point to each object. A memory can be 
updated by assigning new (type consistent) values to the variables in 
its frames. 



Definition 11 (Location, Frame, Object, Memory) Let Loc be 
an infinite set of locations and Value = Z + Loc + {null}. We define 
frames, objects and memories as 



Frame-, 



G dom(r) h- > Value 



for every v G dom(r) 
t(v) = int =4> <p(v) G Z 
t(v) G K. <j)(v) G {null} U Loc 

Obj = {ir*cj) | 7T G II, (f> G Frame F(k(ir))} 

Memory = {/i£ Loc — > Obj | dom(/i) is finite}. 

Let Hi, [i2 G Memory and L C dom(/xi). We say that fi2 is an L-update 
of iii, written fi>i =l ^2, if L C dom(^2) and for every I G L we have 
Hi(1).tt = M 2 (0-7r- 

The initial value for a variable of a given type is used when we 
add a variable in scope. It is defined as Q(int) = 0, ^s(k) = null for 
k G /C. This function is extended to type environments (Definition 4) 
as Q(t)(v) = 9(r(v)) for every v G dom(r). 
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Example 12 See journal version of this paper. 

Type correctness and conservative garbage collection guarantee that 
there are no dangling pointers and that variables may only be bound to 
locations which contain objects allowed by the type environment. This 
is a sensible constraint for the memory allocated by strongly-typed 
languages such as Java [2]. 

Definition 13 (Weak Correctness) Let <\> G Frame T and \i G Me- 
mory . We say that cp is weakly r-correct w. r. t. /j, if for every v G 
dom(</>) such that (j)(v) G hoc we have <j){v) G dom(^) and k((/j,(j)(v)) .it) < 



We strengthen the correctness notion of Definition 13 by requiring that 
it also holds for the fields of the objects in memory 

Definition 14 (t-Correctness) Let <f> G Frame T and G Memory. 
We say that 4> is r-correct w.r.t. fi and write (p-kfi : r, if 

1. <p is weakly r- correct w.r.t. fi and, 

2. for every o G rng(^/) ; o.cfi is weakly F{k{o. it)) -correct w.r.t. fi. 

Example 15 See journal version of this paper. 

Definition 16 defines the state of the computation as a pair consisting 
of a frame and a memory. The variable this in the domain of the frame 
must be bound to an object. In particular, it cannot be null. This 
condition could be relaxed in Definition 16. This would lead to simplifi- 
cations in the following sections (such as in Definition 25). However, our 
condition is consistent with the specification of the Java programming 
language [2]. Note, however, that there is no such hypothesis about the 
local variable number of the Java Virtual Machine, which stores the 
this object [21]. 

Definition 16 (State) If t is a type environment associated with a 
program point, the set of possible states of a computation at that point 
is any subset of 



Example 1 7 See journal version of this paper. 

The frame of an object o in memory is itself a state for the instance 
variables of o. 





<p G Frame T , /i G Memory, (f)*[i : r, 
i/this G dom(r) then 0(this) / null 



} 
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Proposition 18 Let 4>*/ji e S r and o e rng^). Then (o.</>)*/x € 

S F(fc(o.7r))- 

Proof. Since (p-k/i € S r , from Definition 16 we have (p-k/j, : r. From 
Definition 14 we know that o.</> is weakly F(fc(o.7r))-correct w.r.t. fi so 
that (o.(f>)*fi : F(k(o.ir)). Since this dom(F(/c(o.7r))) (Definition 6) 
we conclude that (o.0)*/i G 5].F(fc(o.7r))- D 

3.3. The Operations over the Concrete States 

Figures 7 and 8 show the signatures and the definitions, respectively, 
of a set of operations over the concrete states for a type environment r. 
The variable res holds intermediate results, as we said at the beginning 
of this section. We briefly introduce these operations. 

— The nop operation does nothing. 

— A get operation loads into res a constant, the value of another 
variable or the value of the field of an object. In the last case 
(getJield), that object is assumed to be stored in res before the 
get operation. Then (\i$l (res)) is the object whose field / must be 
read, (iMp' (res)) .(f) are its fields and (//(/>' (res)) .(f)(f) is the value of 
the field named /. 

— A put operation stores in v the value of res or of a field of an 
object pointed to by res. Note that, in the second case, putJield 
is a binary operation since the evaluation of e±.f = e2 from an 
initial state o\ works by first evaluating e\ from a±, yielding an 
intermediate state 02, and then evaluating ei from 0-2, yielding a 
state 03. The final state is then putJield (02) (0-3) [31], where the 
variable res of 02 holds the value of e\ and the variable res of 0-3 
holds the value of e2- The object whose field is modified must still 
exist in the memory of 0-3. This is expressed by the update relation 
(Definition 11). As there is no result, res is removed. Providing two 
states i.e., two frames and two heaps for putJield and, more gen- 
erally, for binary operations, may look like an overkill and it might 
be expected that a single state and a single frame would be enough. 
However, our decision to have two states has been dictated by the 
intended use of this semantics i.e., abstract interpretation. By only 
using operations over states, we have exactly one concrete domain, 
which can be abstracted into just one abstract domain. Hybrid 
operations, working on states and frames, would only complicate 
the abstraction. 
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Operation 


Constraint (this e dom(T) always) 


nop T 






getJnt* 




res $ dom(r), ieZ 


get_null£ 




res ^ dom(r), k E JC 


get_var" 


S r 1— > S T f resMT ( v )] 


res £ dom("r), v G dom(r) 


get_field£ 


► S T [ re sH^i(/)] 


res G dom(r), r(res) G /C, 
i = Fr(res), f G dom(i) 


put.var" : S T *-> S r |_ res 


res G dom(T), w G dom(r), 
v 7^ res, r(res) < t(v) 


put_field£ T , : S T ^ E T > ->■ £ T |_ ra 


res G dom(r), r(res) G /C 
/ G dom(Fr(res)) 

t' = r[res ^ t] with i < (Fr(res))(/) 




res G dom(r), r(res) = int 


is_null T : S r 1 ► £ T [resi->*nt] ^ 


res G dom(r), r(res) G /C 


call T : 2, T 1 > ^P(i/)|_ ro t 


res G dom(r), r(res) G /C, 

{ui, . . . , v n } C dom(r), veM 

dom(P(i/))\{out,this} = {;,i, ...,(-„} 

(alphabetically ordered) 

r(res) < P(i/)(this) 

t(u») < P{v)(ii) for i = 1, . . . ,n 


return": S t h^ £ p | out — > S T [ re;SMp ( 0Ut )j 


res G dom(r), zv G .M, p = 


restrict" 8 




us C dom(r) 


expand" :t 


| — > £ r [„,->tl 


f G Vars, i> G" dom(r), t G Type 


new" 




res dom(r), w £ II 


lookup™'" : S T ^S T [ reSM p( 1/ )( this )] 


res Gdom(r), r(res) G/C, 

mGdom(Mr(res)), ^gA-1 

for every suitable m, a and r, 

there is at most one v 

such that lookup™'" {a) is defined 


is_true T : S T -> £ r |„„ 3 
is_false T : S T -> £ T |_„ 3 


res G dom(r), r(res) = mi, 
dom(is_true T ) (~l dom(is_false T ) = 
dom(is_true T ) U dom(is_false T ) = E T 



Figure 7. The signature of the operations over the states. 



— For every binary operation such as = and + over values, there 
is an operation on states. Note that (in the case of =) Booleans 
are implemented by means of integers (every non-negative integer 
means true) . We have already explained why we use two states for 
binary operations. 

— The operation is_null checks that res points to null. 

— The operation call is used before, and the operation return is used 
after, a call to a method v. While call" creates a new state in 
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nop T (0*/i) 
get.int^*^) 
get_null£(0*/i) 
get_var"(0*/i) 
restrict" 8 (0 * /i) 
expand"'(0*/i) 
put_var"(0 * ^i) 

get_f ield£ (0' * pl) 

put_field^ , 

(01 *fll)(4>2 *A*2) 

=r(01 *jUl)(0 2 *^2) 

r T (01 */ll)(02 *A»2) 

is_null T (0 * ^u) 

call^i.-.""^*^) 
where {ti, . . . , (.„} 

return" 

(01 */ll)(02 *M2) 

new£(0*/i) 
lookup™'" (0*/l) 



is_true T (0*/i) 
is_false T (0*/i) 



* /i 

0[res i] 

0[res i — ► n«ZZ] * /i 

0[res i — ► 0(f)] *M 

0|-„s */U 

4>[v i— > S?(t)] * 11 

0[u i ► 0(res)]|_ rcs */u 

J <f>'[res i — ► ((/i0'(res)). </>)(/)] */i if 4>'(res) ^ null 

1 undefined otherwise 

!02|-res * A*2 [i i-> H2(l)-K*H2(l)-4>[f ^ 02(res)]] 
if Z = 0i (res), Z ^ mtH and /ii =j /12 
undefined otherwise 

2 [res 1— > 1]*^2 if 01 (res) = 02 (res) 
2[res 1 — ► —1] */i2 if 0i(res) 7^ 02(res) 

02 [res 1— » 0i (res) + 02(res)] */U2 

res 1— > 1] ->t /1 if 0(res) = nuZZ 
res 1 — ► — 1] */i otherwise 

[ti 1 * 0(di), ...,(.„!-» 0(u„), this 1 * 0(res)] */i 
P(i/) \ {out, this} (alphabetically ordered) 

' 0i [res 1— ► 02 (out)] * fj,2 

if L = rng(0i)|_„, s n Loc and /tii = L /j, 2 

undefined otherwise 
0[res 1 — > Z]*/i[Z 1 — > 7r*3f(F(fc(7r)))], Z G Loc \ dom(/i) 

10*11 
if 0(res) 7^ nuZZ and ZW(fc((/i0(res)).7r))(m) = ^ 
undefined otherwise 

J 0| -res* /i if 0(res) > 
1 undefined otherwise 

J0|_ res */i if0(res)<O 
] undefined otherwise. 



Figure 8. The operations over concrete states. 



which v can execute, the operation return 17 restores the state a 
which was current before the call to v, and stores in res the result 
of the call. As said in (the beginning of) Section 3, the denotation 
of the method is taken from an interpretation, in a denotational 
fashion [7] . Hence the execution from an initial state o~\ of a method 
call denoted, in the current interpretation, by d : S — > S, yields 
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the final state return (<ri)(d(cal I (<Ji))). Note that return is a binary 
operation whose first argument is the state of the caller at call-time 
and whose second argument is the state of the callee at return-time. 
Its definition in Figure 8 restores the state of the caller but stores 
in res the return value of the callee. By using a binary operation 
we can define our semantics in terms of states rather than in terms 
of activation stacks. This is a useful simplification when passing 
to abstraction, since states must be abstracted rather than stacks. 
Note that the update relation (Definition 11) requires that the 
variables of the caller have not been changed during the execution 
of the method (although the fields of the objects bound to those 
variables may be changed). 

— The operation expand (restrict) adds (removes) variables. 

— The operation new 71 " creates a new object o of creation point it. A 
pointer to o is put in res. Its fields are initialised to default values. 

— The operation lookup" 1 '^ checks if, by calling the method identified 
by m of the object o pointed to by res, the method v is run. This 
depends on the class k(o.ir) of o = fi(f>(res). 

— The operation is_true (is_false) checks if res contains true (false). 
Example 19 See journal version of this paper. 

3.4. The Collecting Semantics 

The operations of Figure 8 can be used to define the transition function 
from states to states, or denotation, of a piece of code c, as shown 
in Example 19. By use of call and return, there is a denotation for 
each method called in c; thus, by adding call and return, we can plug 
the method's denotation in the calling points inside c (as shown in 
Subsection 3.3 and in Example 19). A function I binding each method 
m in a program P to its denotation I(m) is called an interpretation of P. 
Given an interpretation /, we are hence able to define the denotation 
Tp(/)(m) of the body of a method m, so that we are able to transform 
/ into a new interpretation Tp(I). This leads to the definition of the 
denotational semantics of P as the minimal (i.e., less defined) inter- 
pretation which is a fixpoint of Tp. This way of defining the concrete 
semantics in a denotational way through interpretations, is useful for a 
subsequent abstraction [11]. The technique, which has been extensively 
used in the logic programming tradition [7], has been adapted in [31] 
for object-oriented imperative programs by adding the mechanism for 
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dynamic dispatch through the lookup operation in Figure 8. Note that 
the fixpoint of Tp is not finitely computable in general, but it does 
exist as a consequence of Tarski's theorem and it is the limit of the 
ascending chain of interpretations Iq, Tp(Iq), Tp(Tp(Io)), . . . , where, 
for every method m, the denotation Io(m) is always undefined [33]. 

The concrete semantics described above denotes each method with 
a map on states i.e., a function from S to E. However, abstract inter- 
pretation is interested in properties of states; so that each property of 
interest, is identified with the set of all the states satisfying that prop- 
erty. This leads to the definition of a collecting semantics [10, 11] i.e., a 
concrete semantics working over the powerset The operations of 

this collecting semantics are the powerset extension of the operations 
in Figure 8. For instance, getJnt^ is extended into 

get_i<(S) = {get_i<(<7) | a € S} 

for every S G p(S T ). Note that dealing with powersets means that 
the semantics becomes non-deterministic. For instance, in Example 19 
more than one target of the f .def () virtual call could be selected at the 
same time and more than one of the blocks of code could be executed. 
Hence we need a U operation over sets of states which merges different 
threads of execution at the end of a virtual call (or, for similar mo- 
tivations, at the end of a conditional). The notion of denotation now 
becomes a map over p(S T ). Interpretations and the transformer on 
interpretations are defined exactly as above. We will assume the result, 
proved in [31], that every abstraction of p(S r ), U and of the powerset 
extension of the operations in Figure 8 induces an abstraction of the 
concrete collecting semantics. This is an application to object-oriented 
imperative programs of the fixpoint transfer Proposition 27 in [11]. Two 
such abstractions will be described in Sections 4 and 5. 

4. The Basic Domain £ 

We define here a basic abstract domain £ as a property of the con- 
crete states of Definition 16. Its definition is guided by our goal to 
cwerapproximate, for every program point p, the set of creation points 
of objects reachable at p from some variable or field in scope. Thus an 
element of the abstract domain £ which decorates a program point p 
is simply a set of creation points of objects that may be reached at 
p. The choice of an ouerapproximation follows from the typical use of 
the information provided by an escape analysis. For instance, an object 
can be stack allocated if it does not escape the method which creates 
it i.e., if it does not belong to a superset of the objects reachable at 
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its end. Moreover, our goal is to stack allocate specific creation points. 
Hence, we are not interested in the identity of the objects but in their 
creation points. 

Although, at the end of this section, we will see that £ induces 
rather imprecise abstract operations, its definition is important since 
£ comprises exactly the information needed to implement our escape 
analysis. Even though its abstract operations lose precision, we still 
need £ as a basis for comparison and as a minimum requirement for 
new, improved domains for escape analysis. Namely, in Section 5 we will 
define a more precise abstract domain £1Z for escape analysis, and we 
will prove (Proposition 56) that it strictly contains £. This situation is 
similar to that of the abstract domain Q for groundness analysis of logic 
programs [30] which, although imprecise, expresses the property looked 
for by the analysis, and is the basis of all the other abstract domains 
for groundness analysis, derived as refinements of Q [29]. The definition 
of more precise abstract domains as refinements of simpler ones is ac- 
tually standard methodology in abstract interpretation nowadays [15]. 
Another example is strictness analysis of functional programs, where a 
first simple domain is subsequently enriched to express more precise in- 
formation [19]. A similar idea has also been applied to model-checking, 
through a sequence of refinements of a simple abstract domain [12]. 
A refinement, in this context, is just an operation that transforms a 
simpler domain into a richer one i.e., one containing more abstract 
elements. There are many standard refinements operations. One of this 
is reduced product, which allows one to compose two abstract domains 
in order to express the composition of the properties expressed by the 
two domains, and disjunctive completion, which enriches an abstract 
domain with the ability to express disjunctive information about the 
properties expressed by the domain [22] . Another example is the linear 
refinement of a domain w.r.t. another, which expresses the depen- 
dencies of the abstract properties expressed by the two domains [16]. 
In Section 5 we use a refinement which is significant for imperative 
programs, where assignments to program variables are the pervasive 
operation. Hence, a variable-based approximation often yields improved 
precision w.r.t. a global approximation of the state, such as expressed 
by £. This same refinement is used, for instance, when passing from 
rapid type analysis to a variable-based class analysis of object-oriented 
imperative programs in [31]. 

We show an example now that clarifies the idea of reachability for 
objects at a program point. 



Example 20 See journal version of this paper. 
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The reasoning in Example 20 leads to the notion of reachability in 
Definition 21 where we use the actual fields of the objects instead of 
those of the declared class of the variables. 

Definition 21 (Reachability) Let a = 4>*n e E r and S C S r . 
XTie se£ o/ i/te objects reachable in a is O r (a) = U{0* (<r) j i > 0} 



0°(S) = 



o; +1 (5) = u{wuo^ M) m^) 



4>* [j, e S, v £ dom(r) 
0(f) G Xoc, o = n<ft(v) 



The maps 0\ are extended to p(£ r ) as (S") = U{O l T (a) \ a € 5}. 

Proposition 18 provides a guarantee that Definition 21 is well-defined. 
Observe that variables and fields of type int do not contribute to O r . 
We can now define the abstraction map for £. It selects the creation 
points of the reachable objects. 

Definition 22 (Abstraction Map for £) Let S C S T . The ab- 
straction map for £ is 

af(S) = {o.ir | a £ S and o € T {a)} C II. 
Example 23 5ee journal version of this paper. 



4.1. The Domain 8 in the Presence of Type Information 

Definition 22 seems to suggest that mg(af ) = p(II) i.e., that every set 
of creation points is a legal approximation in each given program point. 
However, this is not true if type information is taken into account. 

Example 24 See journal version of this paper. 

Example 24 shows that static type information provides escape infor- 
mation by indicating which subsets of creation points are not the 
abstraction of any concrete states. We should therefore characterise 
which are the good or meaningful elements of p(II). This is important 
because it reduces the size of the abstract domain and removes use- 
less creation points during the analysis through the use of an abstract 
garbage collector 5 T (Definition 25). 

Let e <G p(II). Then S T (e) is defined as the largest subset of e which 
contains only those creation points deemed useful by the type environ- 
ment r. This set is computed first by collecting the creation points that 



main.tex; 1/02/2008; 21:23; p. 17 



18 



create objects compatible with the types in r. For each of these points, 
this check is reiterated for each of the fields of the object it creates until 
a fixpoint is reached. Note that if there are no possible creation points 
for this, all creation points are useless. 

Definition 25 (Abstract Garbage Collector 5) Let e c n. We 
define 5 T (e) = U{<5* (e) | i > 0} with 


' 

if this G dom(r) and no n G e is s.t. k(ir) < r(this) 

< 

U{ {vr} U #p (7r) (e) | k G rng(r) CiJC, Tree, k(n) < k } 
otherwise. 

v 

It follows from Definition 25 that 8\. C and hence 5 T = 5f U . Note 
that in Definition 25 we consider all subclasses of k (Example 20). 

Example 26 See journal version of this paper. 

Proposition 27 states that the abstract garbage collector 5 T is a 
lower closure operator so that it possesses the properties of monotonic- 
ity, reductivity and idempotence that would be expected in a garbage 
collector. 

Proposition 27 Let i e N. The abstract garbage collectors b % r and 6 T 
are Ico's. 

The following result proves that S T can be used to define rng(a^). 
Namely, the useful elements of p(n) are those that do not contain any 
garbage. The proof of Proposition 28 relies on the explicit construction, 
for every e C II, of a set of concrete states X such that a T (X) = 5 T (e), 
which is a fixpoint of S T by a well-known property of lco's. 

Proposition 28 Let S(t) be an abstract garbage collector. We have 
that fp(<5 r ) = rng(a^) and G fp(8 T ). Moreover, if this G dom(r), 
then for every X C S T we have cq. (X) = if and only if X = 0. 

Proposition 28 lets us assume that af : p(S T ) i— > fp(<5 r ). Moreover, 
it justifies the following definition of our domain £ for escape analysis. 
Proposition 28 can be used to compute the possible approximations 
from £ at a given program point. However, it does not specify which 
of these is best. This is the goal of an escape analysis (Subsection 4.2). 



5° T (e) = 
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Definition 29 (Abstract Domain £) Our basic domain for escape 
analysis is £ T = fp(<5 r ) ; ordered by set inclusion. 

Example 30 See journal version of this paper. 

By Definition 22, we know that af is strict and additive and, by 
Proposition 28, onto £ T . Thus, by a general result of abstract inter- 
pretation [10, 11] (Section 2), we have the following proposition. 

PROPOSITION 31 The map af (Definition 22) is the abstraction map 
of a Galois insertion from p(S r ) to £ T . 

Note that if, in Definition 29, we had defined £ T as p(n), the map 
a £ would induce just a Galois connection instead of a Galois insertion, 
as a consequence of Proposition 28. 

The domain £ induces optimal abstract operations which can be 
used for an actual escape analysis. We discuss this in the next subsec- 
tion. 

4.2. Static Analysis over £ 

Figure 9 defines the abstract counterparts of the concrete operations 
in Figure 8. Proposition 32 states that they are correct and optimal, in 
the sense of abstract interpretation (Section 2). Optimality is proved 
by showing that each operation in Figure 9 coincides with the optimal 
operation a oopo^, where op is the corresponding concrete operation 
in Figure 8, as required by the abstract interpretation framework. Note 
that the map ^ £ is induced by a £ (Section 2). 

Proposition 32 The operations in Figure 9 are the optimal coun- 
terparts induced by a £ of the operations in Figure 8 and of U. They 
are implicitly strict on 0, except for return, which is strict in its first 
argument only, and for U. 

Many operations in Figure 9 coincide with the identity map. This is a 
sign of the computational imprecision conveyed by the domain £. Other 
operations call the 8 garbage collector quite often to remove creation 
points of objects which might become unreachable since some variable 
has disappeared from the scope. For instance, as the concrete put_var 
operation removes variable v from the scope (Figure 8), its abstract 
counterpart in Figure 9 calls the garbage collector. The same happens 
for restrict which, however, removes a set of variables from the scope. 
There are also some operations (is_null, putJield, lookup) that use res as 
a temporary variable and one operation (getJield) that changes the type 
of res. Hence these abstract operations also need to call the garbage 
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n °Pr( e ) = e 
get_null^(e) = e 
is_true T (e) = e 
put.var^(e) = 6 T \_ v {e) 
new^(e) = eU {71-} 
expand^ : *(e) = e 
call^--."-( e ) = * T | {ui _ 



get_field£ (e) = 
put.field^ T ,(ei)(e 2 ) = 



get_int^(e) = e 
get_var^(e) = e 
is_false r (e) = e 
is_null T (e) = <5 T |_ r „( e ) 
=r(ei)(e 2 ) = + T (ei)(e 2 ) = e 2 
restrict" 4 (e) = <5 r _ ra (e) 
s} (e) U T (e 1 )(e 2 )=eiUe 2 

if {7T £ e I fc(7r) < r(res)} = 
»F(T( ra ))(/)](e) otherwise 

if {n G ei I fc(7r) < r(res)} = 
5 (e 2 ) otherwise 



return^ ( ei )(e 2 ) = U <jV} U 6 F{k{n)) {IL) 
lookup™ I "(e) = \ Z 



if. 



7r G e 



k G rng(T|_ res ) n K, 
7r e ei, fc(7r) < k 

fc(7r) < r(res) 
M(fc(7r))(m) = v 



Ue 2 







^r|_ rea (e) U (LKM U 5F(fe(7r))(e) | ^ G e'}) otherwise. 



Figure 9. The optimal abstract operations over £ . 



collector. Note that the definitions of the get_field, putJield and lookup 
operations also consider, separately, the unusual situation when we read 
a field, respectively, write a field or call a method and the receiver is 
always null. In this case, the concrete computation always stops so 
that the best approximation of the (empty) set of subsequent states is 
0. The garbage collector is also called by call since it creates a scope 
for the callee where only some of the variables of the caller (namely, 
the parameters of the callee) are addressable. The new operation adds 
its creation point to the approximation, since its concrete counterpart 
creates an object and binds it to the temporary variable res. The U 
operation computes the union of the creation points reachable from at 
least one of the two branches of a conditional. The return operation 
states that all fields of the objects bound to the variables in scope 
before the call might have been modified by the call. This is reflected 
by the use of Spiu^iji) in return, which plays the role of a worst-case 
assumption on the content of the fields. After Example 33 we discuss 
how to cope with the possible imprecision of this definition. The lookup 
operation computes first the set e' of the creation points of objects that 
may be receivers of the virtual call. If this set is not empty, the variable 



main.tex; 1/02/2008; 21:23; p. 20 



21 



res (which holds the receiver of the call) is required to be bound to an 
object created at some creation point in e'. This further constrains the 
creation points reachable from res and this is why we call the garbage 
collector Spfcfr)) f° r each tt £ e' . 

The definitions of return and lookup are quite complex; this is a 
consequence of our quest for optimal abstract operations. It is possible 
to replace their definitions in Figure 9 by the less precise but simpler 
definitions: 

retur<(ei)(e 2 ) = 5 T (U) U e 2 lookup^(e) = e. 

Note though that, in practice, the results with the simpler definitions 
will often be the same. 

Example 33 See journal version of this paper. 

There is, however, another problem related with the domain £. It is 
exemplified below. 

Example 34 See journal version of this paper. 



5. The Refined Domain £1Z 

We define here a refinement £7Z of the domain £ of Section 4, in the 
sense that £1Z is a concretisation of £ (Proposition 56). The idea un- 
derlying the definition of £1Z is that the precision of £ can be improved 
if we can speak about the creation points of the objects bound to a 
given variable or field (see the problem highlighted in Example 34). 
The construction of £1Z is very similar to that of £. 

5.1. The Domain 

Definition 11 defines concrete values. The domain £1Z we are going to 
define approximates every concrete value with an abstract value. An 
abstract value is either *, which approximates the integers, or a set 
e C II, which approximates null and all locations containing an object 
created in some creation point in e. An abstract frame maps variables 
to abstract values consistent with their type. 

Definition 35 (Abstract Values and Frames) Let the abstract 
values be Value 811 = {*} U p(U). We define 



Framed =<</>€ dom(r) h-> Value £n 



for every v £ dom(r) 
if t(v) = int then <p(v) = * 
if t(v) £ K. and tt G 4>{v) 
then k(ir) < t(v) 
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The set Framef 11 is ordered by pointwise set-inclusion. 

Example 36 See journal version of this paper. 

The map e extracts the creation points of the objects bound to the 
variables. 

Definition 37 (Extraction Map) The map e T : p(S T ) i-> Frames- 
is such that, for every SCS T and v G dom(r), 



e T (S)( V ) 



* if t(v) = mi 

{(/x0(w)).7r | G S 1 and G Loc} if t(v) G /C. 



Example 38 See journal version of this paper. 

Since it is assumed that all the fields are uniquely identified by their 
fully qualified name, the type environment r of all the fields introduced 
by the program is well-defined. 

Definition 39 (Type Environment of All Fields) We define the 
type environment of all fields as r = U{F(k) \ k G /C}. Let r G TypEnv 
be such that dom(r) C dom(r) and <f> G Frame T . Its extension <f> G 
Frames is such that, for every v G dom(r), 



4>(v) if ' v G dom(r) 

$s(t(v)) otherwise (Definition 11). 



Example 40 See journal version of this paper. □ 

An abstract memory is an abstract frame for r. The abstraction map 
computes the abstract memory by extracting the creation points of the 
fields of the reachable objects of the concrete memory (Definition 21). 

Definition 41 (Abstract Map for £TZ) Let the set of abstract mem- 
ories be Memory = Frame- . We define the map 

ct £ T n ■ p(S r ) ' ^ {_L} U (Frame £ T n x Memory £n ) 
such that, for SCE T , 



J_ if S = 

£ T (S)*£r({o.(f)*o-.n | a G S and o G O r (a)}) otherwise. 



Example 42 See journal version of this paper. 
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Compare Examples 42 and 23. You can see that £1Z distributes over 
the variables and fields the same creation points observed by £. 

As a notational simplification, we often assume that each field not 
reported in the approximation of the memory is implicitly bound to 0, 
if it has class type, and bound to *, if it has int type. 

Just as for af (Example 24), the following example shows that the 
map af n is not necessarily onto. 

Example 43 See journal version of this paper. 

Hence, we define a map £ which forces to the fields of type class of the 
objects which have no reachable creation points. Just as for the garbage 
collector 5 for 6, the map £ can be seen as an abstract garbage collector 
for £1Z. This £ uses an auxiliary map p to compute the set of creation 
points r reachable from the variables in scope. The approximations of 
the fields of the objects created at r are not garbage collected by £. 
The approximations of the other fields are garbage collected instead. 

Definition 44 (Abstract Garbage Collector £) We define p T : 
Frame 811 x Memory 811 i-> p(U) and £ T : {±}\J (Frame f n x Memory 671 ) 
h-> {_!_} U (Frame 611 x Memory 811 ) as p T (s) = U{p l T (s) i > 0}, where 



Example 45 See journal version of this paper. 

The following property is expected to hold for a garbage collector. 
Compare Propositions 27 and 46. 

Proposition 46 The abstract garbage collector £ T is an Ico. 

The garbage collector £ T can be used to define rng(af^). Namely, the 
useful elements of Frame% x Memory are exactly those that do not 
contain any garbage. Compare Propositions 28 and 47. 



Proposition 47 Let £ r be the abstract garbage collector of Defini- 
tion 44. Then fp(£ T ) = rng(af^). 




and 



_L 




J_ i/this £ dom(r) and </>(this) = 

0* (u{Hdom(F(fc(7r))) I n G Pt(^*m)}) otherwise. 
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Proposition 47 allows us to assume that a £n : p(£ r ) | — ► fp(£r) an d 
justifies the following definition. 

Definition 48 (Abstract Domain £1Z) We define £TZ T = fp(£ T ), 
ordered by pointwise set-inclusion (with the assumption that * C * and 
_L C s /or every s G £1Z T ). 

By Definitions 37 and 41 we know that the map a £n is strict and 
additive. By Proposition 47 we know that it is onto. Thus we have the 
following result corresponding to Proposition 31 for the domain £. 

Proposition 49 The map a £n is the abstraction map of a Galois 
insertion from p(T, T ) to £TZ T . 

5.2. Static Analysis over £1Z 

In order to use the domain £1Z for an escape analysis, we need to 
provide the abstract counterparts over £1Z of the concrete operations 
in Figure 8. Since £1Z approximates every variable and field with an 
abstract value, those abstract operations are similar to those of the 
Palsberg and Schwartzbach's domain for class analysis in [23] as for- 
mulated in [31]. However, £1Z observes the fields of just the reachable 
objects (Definition 41), while Palsberg and Schwartzbach's domain 
observes the fields of all objects in memory. 

Figure 10 reports the abstract counterparts on £1Z of the concrete 
operations in Figure 8. These operations are implicitly strict on _L 
except for U. In this case, we define _L U ((/>*fi) = ((/>* fi) U _L = <j> ★ /x. 
Their optimality is proved by showing that each operation in Figure 10 
coincides with the optimal operation a £K o op o where op is the 
corresponding concrete operation in Figure 8, as required by the ab- 
stract interpretation framework. Note that the map j £n is induced by 
a £n (Section 2). 

Proposition 50 The operations in Figure 10 are the optimal counter- 
parts induced by a £ ^ of the operations in Figure 8 and o/U. 

Let us consider each of the abstract operations. The operation nop 
leaves the state unchanged. The same happens for the operations work- 
ing with integer values only, such as is_true, is_false, = and +, since 
the domain £1Z ignores variables with integer values. The concrete 
operation getJnt loads an integer into res. Hence, its abstract coun- 
terpart loads * into res, since * is the approximation for integer values 
(Definition 35). The concrete operation get_null loads null into res and 
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nop r O*M) 


= <fi* [j, 




getJntJ.^*^) 


= 4>[res *] 




get_null"(0*^) 


= 0[re,s i— > 0]* (J, 




get.var^*^) 


= 4>[res i— > 0(v)] * /i 




is_true T (0* jti) 


= 0*/U 




is_false r (0*/u) 


= (j>*(l 




U T (0l */Zl)(02*M2) 


= (01 U^ 2 )*(mi U^2) 




is_null r (</>*//) 


= £r[res^mi](0[res >-> * 




new* (cp* /j,) 


= 0[res i ► {7r}] * /i 




put_var"(0*/i) 


= £r|_ rea (0[« >-> 0(res)] 


— res * M) 


restrict^ 5 (0*,u) 


= £t|_„ s (0|-to*M) 




expand^* (0*/u) 


J 0[w lit = int 
1 0[w 0] * /x otherwise 


=t(<^1*A*i)(<^2*A*2) 


= +r(01*^l)(02*M2) 


= 02 * A*2 



get_field^(0*/u) = 



put_field; r , 

(01 *Ml)(02*A*2) 



= < 



ca 



_L if (p(res) = 

£,Tlres M F(r(res))(f)]((f>[reS ^ else 

_L if 0i (res) = 

£r|_ rea (02|-res*M2) 

else, if no 7r G 0i(res) occurs in 02 1_ res */i 2 

£r|_ res (02|-res*M2[/ ^ M/) U 2 (res)]) 

otherwise 

0(«l), ...,l„H 0(t>„) 

0(res) 



this 



return^ 

(01 */il)(02*M 2 ) 



^r|_„,,(0i|-re S *Ai T ) U ([res i ► 2 (out)] ★ /i 2 ) 



lookup™' ,y (0*M) 
Figure 10. The abstract operations over £7?. 



where /u T is the top of Memory £n 

J_L if e = {7r e 0(res) | M(w)(m) = u} = 
1 CT(0[ res i— »■ e] */u) otherwise. 



hence its abstract counterpart approximates res with 0. The oper- 
ation get-var^ copies the creation points of v into those of res. The 
U operation merges the creation points of the objects bound to each 
given variable or field in one of the two branches of a conditional. 
The concrete is_n u 1 1 operation checks if res contains null or not, and 
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loads 1 or —1 in res accordingly. Hence its abstract counterpart loads 
* into res. Since the old value of res may no longer be reachable, we 
apply the abstract garbage collector £. The new^ operation binds res 
to an object created at n. The put-var^ operation copies the value of 
res into v, and removes res. Since the old value of v may be lost, we 
apply the abstract garbage collector £. The restrict operation removes 
some variables from the scope and, hence, calls £. The expand^ oper- 
ation adds the variable v in scope. Its initial value is approximated 
with *, if it is 0, and with 0, if it is null. The get-field^ operation 
returns _L if it is always applied to states where the receiver res is 
null. This is because _L is the best approximation of the empty set of 
final states. If, instead, the receiver is not necessarily null, the creation 
points of the field / are copied from the approximation fi(f) into the 
approximation of res. Since this operation changes the value of res, 
possibly making some object unreachable, it needs to call £. For the 
put-field-^ operation, we first check if the receiver is always null, in 
which case the abstract operation returns _L. Then we consider the 
case in which the evaluation of what is going to be put inside the field 
makes the receiver unreachable. This (pathological) case happens in a 
situation such as a.g.f = m(a) where the method call m(a) sets to null 
the field g of the object bound to a. Since we assume that the left- 
hand side is evaluated before the right-hand side, the receiver is not 
necessarily null, but the field updates might not be observable if a.g.f 
is only reachable from a. In the third and final case for putJield we 
consider the standard situation when we write into a reachable field 
of a non-null receiver. The creation points of the right-hand side are 
added to those already approximating the objects stored in /. The call 
operation restricts the scope to the parameters passed to a method and 
hence £ is used. The return operation copies into res the return value 
of the method which is held in out . The local variables of the caller are 
put back into scope, but the approximation of their fields is provided 
through a worst-case assumption // since they may be modified by the 
call. This loss of precision can be overcome by means of shadow copies 
of the variables, just as for £ (see Example 52). The lookup™ operation 
first computes the subset e of the approximation of the receiver of the 
call only containing the creation points whose class leads to a call to 
the method m. If e = 0, a call to m is impossible and the result of the 
operation is _L. Otherwise, e becomes the approximation of the receiver 
res, so that some creation points can disappear and we need to call £. 

Example 51 See journal version of this paper. 

The abstract state Sg shows that the imprecision problem of £ , 
related to the return operation, is still present in £1Z. By comparing 
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S2 with Sg, it can be seen that the return operation makes a very 
pessimistic assumption about the possible creation points for the next 
and rotation fields. In particular, from Sg it seems that creation points 
7T3 and 7T4 are reachable (they belong to /i T ), which is not the case in the 
concrete state (compare this with cig in Example 19). As for the domain 
£, this problem can be solved by including, in the state of the callee, 
shadow copies of the parameters of the caller. This is implemented 
through a preprocessing of the bodies of the methods which prepend 
statements of the form v':=v for each parameter v, where v' is the 
shadow copy of v. Since shadow copies are fresh new variables, not 
already occurring in the method's body, their value is never changed. 
In this way, at the end of the method we know which creation points 
are reachable from the fields of the objects bound to such parameters. 

Example 52 See journal version of this paper. 

As previously noted in Subsection 1.2, shadow copies of the parame- 
ters are also useful for dealing with methods that modify their formal 
parameters. 

There was another problem with £, related to the fact that £ does 
not distinguish between different variables (see end of Section 4). It is 
not surprising that £1Z solves that problem, as shown below. 

Example 53 See journal version of this paper. 
5.3. £TZ is a Refinement of £ 

We have called £TZ a refinement of £. In order to give this word a formal 
justification, we show here that £1Z actually includes the elements of 
£. Namely, we show how every element e G £ can be embedded into an 
element 8(e) of £1Z, such that e and 9(e) have the same concretisation 
i.e., they represent the same property of concrete states. The idea, 
formalised in Definition 54, is that every variable or field must be bound 
in £1Z to all those creation points in e compatible with its type. 

Definition 54 (Embedding of £ into £11) Let s C II. We define 
$ T (s) G Framey 1 such that, for every v G dom(r), 



I {it G s | k(ir) < t(v)} if t(v) G K. 
The embedding 6 T (e) G £1Z T of e G £ T is 6 T (e) = £ r (tf T (e) *i? ? (e)). 




if t(v) = int 



Example 55 See journal version of this paper. 
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Proposition 56 states that the embedding of Definition 54 is correct. 
The proof proceeds by showing that 9 T (e) is an element of £1Z T and 
approximates exactly the same concrete states as e, that is, for every 
element of £ there is an element of £7Z which represents exactly the 
same set of concrete states. 

Proposition 56 Let 7^ and be the concretisation maps induced 
by the abstraction maps of Definitions 22 and 4.1, respectively. Then 
7 £ T (£ T )C^(£TZ T ). ' 

The following example shows that the inclusion relation in Proposi- 
tion 56 must be strict. 

Example 57 See journal version of this paper. 



6. Implementation 

See journal version of this paper. 



7. Discussion 

8. Conclusion 

We have presented a formal development of an escape analysis by 
abstract interpretation, providing optimality results in the form of 
a Galois insertion from the concrete to the abstract domain and of 
the definition of optimal abstract operations. This escape analysis has 
been implemented and applied to full Java (bytecode). This results in 
an escape analyser which is probably less precise than others already 
developed, but still performs well in practice from the points of view 
of its cost and precision . 

A first, basic escape domain £ is defined as a property of concrete 
states (Definition 29). This domain is simple but non-trivial since 

— The set of the creation points of the objects reachable from the 
current state can both grow (new) and shrink (<5); i.e., static type 
information contains escape information (Examples 24 and 33); 

— That set is useful, sometimes, to restrict the possible targets of 
a virtual call i.e., escape information contains class information 
(Example 33). 
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However, the escape analysis induced by our domain £ is not precise 
enough from a computational point of view, since it induces rather 
imprecise abstract operations. We have therefore defined a refinement 
£1Z of £, on the basis of the information that £ lacks, in order to attain 
better precision. The relation between £1Z and £ is similar to that be- 
tween Palsberg and Schwartzbach's class analysis [23, 31] and rapid type 
analysis [3] although, while all objects stored in memory are considered 
in [3, 31, 23], only those actually reachable from the variables in scope 
are considered by the domains £ and £7Z (Definitions 22 and 41). The 
ability to describe only the reachable objects, through the use of an 
abstract garbage collector (5 in Figure 9 and £ in Figure 10), improves 
the precision of the analysis, since it becomes focused on only those 
objects that can actually affect the concrete execution of the program. 

It is interesting to consider if this notion of reachability and the use 
of an abstract garbage collector can be applied to other static analyses 
of the run-time heap as well. Namely, class, shape, sharing and cyclicity 
analyses might benefit from them. 
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Appendix 

A. Proofs of Propositions 27, 28 and 32 in Section 4. 

Proposition 27. Let i G N. T/ie abstract garbage collectors b\ and S T 
are Ico's. 

Proof. Since 8 T it is enough to prove the result for b % T only. 

By Definition 25, the maps 5 l T for i G N are reductive and monotonic. 
We prove idempotency by induction over i G N. Let e C II. We have 
5®5®(e) = <5°(0) = = <5°(e). Assume that the result holds for a given 
i G N. If this G dom(r) and there is no f £ e such that /c(-7r) < 
r(this), then 5*5* (e) = 5*(0) = = S l T (e). Suppose now that, if 
this G dom(r), then there exists tt G e such that k(7r) < r(this). By 
reductivity, 5 l T +1 5 % T +1 (e) C 5* +1 (e). We prove that the converse inclusion 
holds. We have 

k G rng(r) n K, 
tt G 4 +1 (e), fc(7r) < k 

(!) 

Let k G rng(r) n AC and 7r G II be such that k(ir) < k. If 7r G 5* +1 (e) 
then, by reductivity, we have 7r G e. Conversely, if tt G e then, by 
Definition 25, 7r G 5 l T +1 (e). We conclude from (1) that 

k G rng(r) n fC 

7T G e, fc(7r) < k 

k G rng(r) n JC 

tt G e, fc(7r) < k 

k G rng(r) n K. 
tt G e, fc(7r) < k 



rr(e)=u{wu^ W) 5; +1 ( 



^^(e)=u|WU^ W) r(e) 
(monotonicity) 3U {?r}U S F(k(ir)) S F(tt) ( e 



(ind. hypothesis) = U < {7r} U (5 



^ +1 (e). 



□ 



To prove Proposition 28, we need some preliminary definitions and 
results. We start by defining, for every i G N, a map a l T which, for 
sufficiently large i, coincides with af (Definition 22). 

Definition 58 Let t e N. We define the map a\ : p(S T ) i-> II as 
a % T (S) = {o.tt | a G S and o G 0\(a)} (see Definition 21 for 0\). 



Corollary 59 Let SCS T and i > 0. We have 
< +1 (S) = |J | {o.vr} U a^ (fc(o . w)) (o.0*/i) 



(f>-kfi G S T , v G dom(r) 
</>(v) G Loc, o = n4>{v) 
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Proof. By Definitions 58 and 21. □ 

Lemma 60 states that a\ (and hence also itself) yields sets of 
creation points that do not contain garbage. 

Lemma 60 Let a G S r and i G N. Then a\{a) = 8 % T a\{a). 

Proof. By reductivity (Proposition 27), we have ct\{o~) 3 <5* a^(cr). 
It remains to prove a l T (a) C <5*a5-(<r). Let a = We proceed 

by induction on i. We have a°(cr) = = (5°a°(cr). Assume that the 
property holds for a given i G N. Let r' = F(k(o.ir)) and X = {/i(f>(v) \ 
v G dom(0) and 0(f) G Loc}. By Corollary 59, 

o4_ +1 (cr) = U{{o.tt}Uc4,(o.</>*/x) | o G X} 
(inductive hypothesis) = U{{o.7r} U S^u^^o.cp-k h) \ o G X} . (2) 

By Corollary 59, we have a % T ,{o.ip-k n) C a4 +1 (o") and, by Proposition 27, 
(2) is contained in 

U{{o.vr} U <5>t + V) I o^} • (3) 

Note that, given o G X, we can always find k G rng(r) PI K, such that 
k(o.ir) < k. Indeed, for the definition of X, there exists v G dom(0) = 
dom(r) such that <j)(v) G Loc and o = ^4>{v). By Definition 11, we have 
t(v) G K,. By Definition 14, we have k(o.ir) = k{{^4>{v )).7r) < r(v). 
Hence letting k = t(v), (3) is 

o£l, kg rng(r) n K, 
k(o.n) < k 

7r G ai +1 (a), k G rng(r) (~1 /C 
fc(7r) < k 



U |{o.vr} U (5;,< +1 (cr 

(Corollary 59) C U |{tt} U ^ T ,a^ x {a 
(Definition 25) = 5; +1 c4 + V) • 



Note that the last step is correct since if this G dom(r) we have 
0(this) ^ null (Definition 16). Hence (^(this)).7r G a l + l (o) and 
fc((//</>(this)).7r) < r(this) (Definition 13). We conclude that, if this G 
dom(r), then there exists 7r G o4 +1 (ct) such that k(n) < r(this). □ 

Let e be a set of creation points. We now define frames and mem- 
ories which use all possible creation points in e allowed by the type 
environment of the variables. In this sense, they are the richest frames 
and memories containing creation points from e only. 
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Definition 61 Let {tti, . . . , 7r n } be an enumeration without repetitions 
of II. Let li, . . . , l n be distinct locations. Let e C il and w G dom(r) 
such that t(w) G K.. We define 

L T (e,w) = {li | 1 < i < n, tti G e and fe(7Tj) < r(u;)} , 

/or every v G dom(r) 



0r(e) 



(f) G Frame-, 



fi G Memory 



t(v) = int =4> </>(i;) = 
r(f) G /C, L T (e,v) = => <p{v) = null 
t(v) G /C ; L T (e,v) / => G L T (e,v) 

V = [h i->_7ri*0i, i-> 7r n *^„] 

and ^ G ^(fc^)) (e) for i = 1, . . . ,n 



We prove now some properties of the frames and memories of Defi- 
nition 61. 

Lemma 62 Let ei,e2 C II, (f> G ^ T (ei) and fi G Jl{e2). TTien 
ij : r; 

^★/U G S T z/f this g" dom(r) or there exists ir G e\ s.t. k(it) < 
r(this); 

Hi) If 4>* fi G S T i/ien a T (4>* fi) C ei U e2- 
Proof. 

i) Condition 1 of Definition 14 is satisfied since we have that rng(</>) n 
Loc C {Zi, . . . , l n } = dom(p). Moreover, if v G dom(0) and <p(v) G 
Loc then c/>(f) G L T {e\,v). Thus there exists 1 < i < n such that 
4>(v) = li, (p,(p(v)).iT = iTi and k(([i(ft(v)).ir) = k(iri) < t(v). Con- 
dition 2 of Definition 14 holds because if o G rng( / u) then o.cj) = 4>i 
for some 1 < i < n. Since (pi G (j) F i k (~.\\{e), reasoning as above we 
conclude that fa is F(/c(7Tj))-correct w.r.t. /j,. Then cp-kfi : r. 

ii) By point i, we know that : r. From Definition 16, we have 
(p-kfi G S T if and only if this dom(r) or 0(this) ^ null. By 
Definition 61, the latter case holds if and only if L T (ei,this) ^ 
i.e., if and only if there exists n G e\ such that k(ir) < r(this). 

iii) Since G S T , the a T map is defined (Definition 22). Let 

L = (rngO) U (U{rng(o.0) | o G rng(//)})) n Loc . 

Since </> G T (ei) and o.</> G 0F(fe( o .7r))( e 2) for every o G rng(/x), by 
Definition 61, we have 



{^(Z).7r | Z G L} C ei U e 2 . 



main.tex; 1/02/2008; 21:23; p. 34 



35 



By Definition 22, we conclude that 

a T ((f)* fx) C {/x(Z).7r \ l e L} Ce 1 Ue 2 ■ 



□ 



Lemma 63 gives an explicit definition of the abstraction of the set 
of states constructed from the frames and memories of Definition 61. 

Lemma 63 Let ei,e 2 CIIj'eN and 

A j = a{ +1 {{4>-k fi G S r | 4> G r (ei) and fi G /x(e 2 )}) . 

Then 

' if this G dom(r) and i/iere is no ir G ei s.i. /c(7r) < r(this) 



u <! WU^ (fcW) (e 2 



v G dom(r), t(v) G /C 
7r G ei, /c(7r) < r(f) 



otherwise. 



Proof. We proceed by induction over j. By Lemma 62. ii, if j = 
we have 



'0 if this G dom(r) and there is no it G e\ s.t. k(ir) < r(this) 



A 



O.TT 



<p G (j> T (ei), fj, G /u(e 2 ), v G dom(^) 
4>{y) G Loc, o = n<t>{v) 



otherwise. 



By Definition 61, the latter case is equal to 



v G dom(r), t(v) G /C 
1 < i < n, 7Tj G ex 

fc(7Tj) < t(v) 



> = U < 



v G dom(r) 
t(v) G K 
7r G ei 
A;(7r) < r(w) 



Assume now that the result holds for a given j G N. If this G dom(r) 
and there is no tt G ei such that k(ir) < r(this), by Lemma 62. ii, we 
have Ai +1 = 0. Otherwise, by Corollary 59 we have 



A> +1 = U I 



{o.7r}Ua^ (o7r)) (o.0*M) 



^>G0 T (ei), (J,efJ,(e 2 ) 
v Gdom(0) )> . (4) 

G Loc, o = n4>(v) 
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As for the base case, we know that o.ir ranges over {tt G e\ \ v G 
dom(r), t(v) G /C, k{i[) < t(v)}. Since o.cj) G 0F(fc(o.7r))( e 2) is arbitrary 
(Definition 61), by the inductive hypothesis, (4) becomes 



U < 



W Ua F(fcW) ( 



4> G <AF(fc(7r))( e 2) 



v G dom(r) 
t(u) € K 
7r G ei 
Ac(7r) < r(v) 



□ 



= U {{tt} U % W) (e 2 ) | G dom(r), t(v) G K, ir G e u fc(ir) < r(w)}. 

Corollary 64 Lei ei,e 2 C n. Let 

A T (e\,e2) = a T {{(t)* n G S T | G <Ar( e i) anc ^ A 1 € 7^( e 2)}) • 

T/ien 

'0 i/this € dom(r) 

no 7r G ei is s.i. fc(7r) < r(this) 



i) A T (e 1 ,e 2 ) = { r 
U I {tt} US F{k{7T)) {e 2 ) 

otherwise, 

ii) A T (ei, ei) = <5 T (ei). 



v G dom(</>), r(u) G /C 
7r G ei, k(ir) < t(v) 



Proof. Point i follows by Lemma 63 since j is arbitrary. Point ii 
follows from point i and Definition 25. □ 

Corollary 65 Let k G K, t = [res 1— ► n], p be a predicate over U and 
e C II be such that there exists tt G e such that k(n) < r(res) and p(ir) 
holds. Then 

a T ({4>-kfi G S T J (j) G T (e), /i G 71(e), p(/x0(res).7r)}) 

= U{{vr} U <5 F (fc(7r))(e) I vr G e, fc(vr) < r(res), £>(tt)} . 

Proof. Let j G N. By the hypothesis on e and Corollary 59 we have 

<4 +1 ({0*A* G S T j G r (e), ^ G A«( e ), p(^(res).7r)}) 

G 4> T {e), [i G 7Z(e) 
o = fMp(res), p(o.7r) 

7t G e, fc(7r) < r(res), p(7r) 
0' G 0F(ifc(7r))(e), At G 7Z(e) 



u|{o.vr}Ua J F(fc(ou)) (o.0*/x) 
U | W U «F(fcW) M) 
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Since j is arbitrary we have 

a r ({>*/i G S T | <p G r (e), // G 71(e), p(/x0(res).7r)}) 

0' G 0F(fc(7r))( e ) 1\ G e, p(7r) 
jU G 71(e) J / k(n) < r(res) 

and the thesis follows by Corollary 64. ii. 



□ 



Proposition 28. Zei <5(r) 6e an abstract garbage collector. Then we 
have fp(<5 r ) = rng(af) and G fp(o~ r ). Moreover, if this G dom(r) ; 
i/ien /or every I C E T k /ia?/e a~(X) = if and only if X = 0. 

Proof. We first prove that fp(<5 r ) = rng(a r ). Let ICE T and i G N. 
By Lemma 60 and monotonicity (Proposition 27) we have 

4(X) = U{4 (<r) | a G X} 

= u{44(o-) | (j e i} c 44W £ *t4P0 • 

The converse inclusion a l T (X) C o" r a5-(X) holds because S T is reductive 
(Proposition 27). Then a\{X) G fp(<5 r ). Since i is arbitrary we have 
a T (X) G fp(oV). Conversely, let e G fp(<5 r ). Consider the set of states 
constructed from the frames and memories in Definition 61 and let 

X = {(f)* fx G S r | 4> G T (e), G 71(e)} . 

By Corollary 64. ii and since e G fp(# T ), we have a T (X) = 5 T (e) = e. 

Since 5 T is reductive (Proposition 27), we have = oV(0) i.e., 
G fp(<5 r ). 

If this G dom(r), every a G S r is such that a r (cr) / 0, since this 
cannot be unbound (Definition 16). Then a T (X) = if and only if 
X = 0. 



The proof of Proposition 32 requires some preliminary results. 

Corollary 66 states that if we know that the approximation of a set 
of concrete states S is some e C n, then we can conclude that a better 
approximation of S is 5(e). In other words, garbage is never used in the 
approximation. 

Corollary 66 Let SCS r and e C II. Then a T (S) C <5 r (e) z/ and 
only if a T (S) C e. 

Proof. Assume that a T (S) C o~ r (e). By reductivity (Proposition 27) 
we have a r (S') C e. Conversely, assume that a r (S') C e. By Proposi- 
tion 28 and monotonicity (Proposition 27) we have a T (S) = 5 T a T (S) C 
(J T (e). □ 
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Lemma 67 states that integer values, null and the name of the 
variables are not relevant to the definition of a (Definition 22). 

Lemma 67 Let <j>' */z G S T / and cf)" *[i G £ r " swc/i f/iai rng(</>') n Xoc = 
rng(</>") nZoc. T/ien u T t (4>' * n) = a T " ((/>"* fi) . 



Lemma 68 says that if we consider all the concrete states approxi- 
mated by some e C II and we restrict their frames, then the resulting 
set of states is approximated by 5(e). In other words, the operation 
6 garbage collects all objects that, because of the restriction, are not 
longer reachable. 

Lemma 68 Let vs C dom(r). Then 

a r|_ ra ({0l-^*M I 0*/^ G S r and a T (<£★//) C e}) = 8 T \_ vs {e) . 

Proof. We have 

a T\- m {{<i>\-vs*V I G S r and a T (0*/i) Q e}) 

= a T|_„ s ({0l-t«*A* G s r|_, s I <A*/« G S T and a T (<f)~k n) C e}) , (5) 

since if 0*,u € S T then ^>|_ us */x € S T | We have that if a T ((f)*[x) C e 
then a T i _„ s (0|- vs */i) C e. Hence (5) is contained in e. By Corollary 66, 
(5) is also contained in 6 T \_ vs (e). But also the converse inclusion holds, 
since in (5) we can restrict the choice of <fi*fj, G S r , so that (5) contains 



By points ii and iii of Lemma 62, (6) is equal to 

<Xr\-„({<f>\-vs*li G Z T \- VS |0G^ T (e), /iG7i(e)}) 
(Definition 61) = a T \_ m ({</>* n G £ r |_„ s \ (f> G T |_„ s (e) and /x G 71(e)}) 
(Corollary 64.ii) = <5 T |_„ s (e) . 



We are now ready to prove the correctness and optimality of the 
abstract operations in Figure 9. 

Proposition 31. The map af (Definition 22) is the abstraction map 
of a Galois insertion from p(S r ) to £ T . 



Proof. From Definition 22. 



□ 





□ 
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Proof. By the theory of abstract interpretation [10], given e G £ T , 
the concretisation map induced by the abstraction map of Definition 22 
is 

7r(e) = W G S r | a r (cr) C e} . 

Moreover, the optimal abstract counterpart of a concrete operation op 
is aop^f. 

We consider every operation in Figure 8 and we compute the in- 
duced optimal abstract operation, which will always coincide with that 
reported in Figure 9. 

Note that all the operations in Figure 8 use states in S T with this G 
dom(r) (Figure 7). By Proposition 28 we have 7 T (0) = 0- Then the 
powerset extension of the operations in Figure 8 are strict on 0. The 
only exception is the second argument of return, which is a state whose 
frame is not required to contain this (Figure 7). The operation U is 
not the powerset extension of an operation in Figure 8. Then it is not 
strict in general. Hence, in the following, we will consider just the cases 
when the arguments of the abstract counterparts of the operations in 
Figure 8 are not (except for the second argument of return and for 
U). 

In this proof, we will use the following properties. 

PI If e G £ T , e ^ and this 6 dom(r) then there exists ir G e such 
that k(ir) < r(this). 

P2 If e G £ T , e/0 and this G dom(r) then there exists a G £ r such 
that a T (a) C e. 

P3 a r 7 r is the identity map. 

PI holds since e = 5 T (e) (Definition 29) so that by Definition 25, we can 
conclude that there exists such a it. To see that P2 is a consequence 
of PI, let 7r be as defined in PI; then, letting a = [this ^ l]*[l 
Tr-k^s(F(k(n)))] for some I G Loc, we have a G S T . Moreover, by 
Definition 22, a T (a) = {tt} C e so that P2 holds. By Proposition 31, 
a T is a Galois insertion and hence, P3 holds. 

nop 

By P 3 we have 

a r (nop r (7 r (e))) = a T j T (e) = e . 
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getJnt, get_null, get_var 



a T [ res ^i nt] (get_int;(7 r (e))) 
= a^^^d^res i-> i]* \x \ <j>* \i G 7r(e)}) 
(*) = a T ({0*/i G S r | G 7r(e)}) = a T -/ T (e) = e , 

where * follows by Lemma 67 since res G" dom(r). For the same reason, 
point * follows if res is bound to null or to some <p(v) with v G dom(r). 
Thus the proof above is also a proof of the optimality of get_null and 
of get_var. 

expand 

«r[H (expand?* (7r(e))) 
= a T[vMt] ({(j)[v i * | G 7r(e)}) 

(*) = a T ({4>*n G S T | (f>*n G 7r(e)}) = a T 7 T (e) = e , 

where point * follows by Lemma 67, since G {0, nit//} and v G" 
dom(r). 

restrict 

«r | _„( restrict^ ( 7r (e))) 
= a T | _„ s (restrict^ ({a G S r | a r ((r) C e})) 
= a T |_ tw ({^|_ t , s */i | (j>*(i G S r and a T ((f>*fj,) C e}) 
(Lemma 68) = <5 T |_„ s (e) . 



is_n u 1 1 



(Lemma 67) 
(Lemma 68) 
(Definition 25) 



a r [ res ^ inf] (is_null T (7 T (e))) 



= a 



QV[resi— >int] 
«r|_ res ({0l 



i](is_null T ({«7 G S T | a T (cr) C e})) 

(p-kfl G S T 



</>[res h-> 1] * u 
-k ji \ (p -k fi £ T, T and a T (<fi*fji) C e}) 



3t|. 



7" TGSi — > Ml 



*](« 
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put_var 



«r|_ res (put-var r (7 r (e))) 
= a r|_ res (put-var T ({cj G S T | a T {a) C e})) 

= a r|_ res ({0b ^ <A(res)]|_ res *^ I (f>-kfi G S r and a T (</>*(i) C e}) . 



(7) 



Observe that rng(<^k\> i-> 0(res)] |_ res ) = rng(</>|_ 1) ) so that, by Lem- 
mas 67 and 68, (7) is equal to 

a T \_ v ({(f>\- v *fj, | (t>*n G S T and a T (<f)*fj,) C e}) = <5 r |_ v (e) . 



call 



a PH |_ ont (calir--^(7.(e))) 
= a PW |_ out (call^--^({a G S r | a T (a) C e})) 



Ll H-> 0(fl), 



\ 



(/> * /x G £ T and 



i n i-> </>(t; n ), 

y I this h- > (f>{res) \ J 

(*) = a T| { . 1 ,...,^,, re . } ({^l{«i,-,wn,»w«}*A* I G S r, <*t(0*m) C e}) 

(**) = S T\ {vi ,..., Vn ,re S }( e ) > 

where point * follows by Lemma 67 and point ** follows by Lemma 68. 
is_true, is_false 

a T (is_true r (7 T (e))) 
= a T ({4>-kfi G 7 r (e) | 0(res) > 0}) 
(Lemma 67) = a T ~/ T (e) = e . 

The optimality of is_false follows by a similar proof. 



new 
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Let k = k(ir). Since res g" dom(r) we have 

ar[res^ K ](ne\<(7 r (e))) 
= a r[rest _ >K ](new^({cr G S r | a T (a) C e})) 



= a 



t resi— >k 



(j)[res !—>/]★ 

*fj,[l ^ 7T*9(F(/e))] 

= a T ({0*/i € S T | a T (4>*[/,) C e})U 

/ J [res (-►/]★ 
ua [res ^ K] ^ 7r*9f(^(«))] 



G S T , a T (<fi*fjL) C e 
/ G Loc \ dom(/x) 

0*/i G S T , a T ((f)*[x) C e 
/ G Loc \ dom(/Lt) 



(8) 



(9) 



We have that (8) is equal to e. By P2 and Definition 22, (9) is equal to 

=, + 

ar(=r(7r(ei))(7r(e 2 ))) 
= a T ({= T (ai)(a 2 ) \ <J\ G 7r(ei), cr 2 G 7r(e 2 )}) 
(P2) = a T {{a 2 | cj 2 G 7r(e 2 )}) 
= a r 7r(e 2 ) = e 2 . 

The optimality of + follows by a similar proof. 

return 

Let t' = r[res i— > P(u)(out)}, t" = P(u)\ out and L = rng(0i[_ res )nXoc. 

a r /(return^(7 T (ei))(7 r //(e 2 ))) 
= Q r /(return^({cri G S r | a T (o{) C ei})({cr 2 G X r » | a r "(o" 2 ) C e 2 })) 



/r 



V 



i'll-res [res I ^ 2 (out)]*/x 2 



(pi* Hi G £ r 

(p2*H2 S X r » 

a T (0i*/ii) C ei 
a T »((p2*H2) Q e 2 
Mi =l A* 2 

v ' 

Cond 



\ 



(*) = a T \_ res ({(pi\- res -k u 2 | Cond})U 
U a T " ({(p2 * fJ-2 | Cond}) 



(10) 
(11) 



where point * follows by Lemma 67. Since a T »(</> 2 */tx 2 ) C e 2 , an upper 
bound of (11) is e 2 . But e 2 is also a lower bound of (11) since, by 
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01 G T (ei), /Lti G /i(ei) 
^2 G r //(e 2 ), H2 G 7Z(e 2 ) 



which by Corollary 64. ii is equal to e 2 . Note that the condition [ii =l n 2 
is satisfied by Definition 61. 
Instead (10) is 



U < 



v G dom(0i|_ res ) 

4>1 1 -res (v) G Loc 

O = fJ, 2 (f>l\-res(v), Cond 



which, since u\ =l /U 2 , is equal to 



U < {o.vr}Ua F(fc(o . 7r ) ) (o.0*/i 2 

(*) cu|{o.7r}u<5 F(fc(o . w)) (n) 

(**) Cu|{7r}U(5 F(ifc{7r)) (n) 
Cu{{vr}U(5 F(fcW) (n) 



■uGdom(0i|_ res ) 
(f>l\-res(v) eLoc 
o = /Ui0i|_ res (v), Coraci 

f G dom(0i|_ res ), 0i|_ res (i;) G Loc 
o = a 1 cf) 1 \_ res (v), Cond 

k G rng(r|„ res ) n K 
ir G ei, fc(7r) < k, Cond 

k G rng(r|„ res ) n /C 
7r G ei, fc(7r) < k 



(12) 



where point * follows by Lemma 60 and point ** holds since Cond 
requires that a T (<^i C ei. But (12) is also a lower bound of (10), 
since (10) contains 



a 



r\- 



h\-res*^2 G S r |_ r[ 
= a r\- res ({<P*V G S T | 



»i G r (ei), Mi G M(ei), 

•2 = 3(P(i/)|out), M2G7i(n) 



5 r |_ res (ei),Ai GM(n)}) , 



which by Corollary 64. i is equal to (12). 
getJield 

Let t' = r[res h-> F(r(res))(f)] and r" = [res i-> F(r(res))(/)]. We 
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have 



[res i ^ (^(res)).0(/)]*/x 



a r /(get_field^(7 T (e))) 

a T /(get_field{ ({</>*// G S T I a T (<f>*fi>) C e})) 

4>(res) null, 
a T (4>-k jj) C e 

a r|- rcs ({^!-res*^ I 0*/" G S T , 0(res) / nit//, a T (<f)*n) C e})U 

Ua T » | < | res i — > (//0(res)). </>(/)] */x (j)(res) ^ null, 

a T ((j)-k fi) C e 




(13) 



(13) is equal to if {-zr G e | fc(7r) < r(res)} = 0, since in such a case 
the condition <p(res) 7^ nuZZ cannot be satisfied. Since a T (4>* /x) C e, an 
upper bound of (13) is e. By Corollary 66, also £ T /(e) is an upper bound 
of (13). But it is also a lower bound of (13), since, from the hypothesis 
on e and from points ii and iii of Lemma 62, (13) contains 

^r\- re3 (W\-res *^ G S r|_ res I 4> G T ( e ); M G A*(e)})U 

Ua r »({[res i-> (^(res)). <£(/)]* M G £ T » | G T (e), /i G /7(e)}) 
(*) = «r|_ res ({0*Zi e S T |_ rcs I G r |_ res (e), n G /i(e)})U 
U a T ii({(f)*n G S r " I G 4> r ,,(e), fi G /i(e)}) 
(**) =S T \. r Je)US T// (e) =8 T ,{e) , 

where point * follows by Definition 61 and point ** follows by Corol- 
lary 64. ii. 



lookup 



a r (lookup^( 7r (e))) 
= a r (lookup^ l,1/ ({^*/i G S r I a T ((j)*n) C e})) 
/ | 

a T ((f)*(i) C e, (j)(res) 7^ nuZZ 
M(fc((/^(rea)).7r))(m) = 1/ 



V 



>*[i G S 7 



Cond 



J 



(14) 



Equation (14) is equal to if there is no it G e such that k(7r) < r(res) 
and M(7r)(m) = ^, because in such a case it is not possible to satisfy 
the condition M(k((p(ft(res)).Tr))(m) = v. Otherwise, it is equal to 

(15) 
(16) 



«r|_ res ({<AU 
UQ V| res ({0l 



re s*H I (f)*n G S T , Con<i})U 
res */i | G S T , ConcZ}) . 
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Since Cond requires that a T (4>* fj,) C e, by Corollary 66 an upper bound 
of (15) is £ T i_ res (e). But it is also a lower bound of (15), since a lower 
bound of (15) is 



a 



r\- 



I -res *f £ ^7 



(*) = a T \_ res ({(p*^ G S r |_ 
(**) =S T] _ r Je) . 



4> G <f> T (e), n G //(e) 
<p(res) nit// 

M(A;((/i</>(res)).7r))(m) = i/ 
G ^r|_ res (e), //G 71(e)}) 



Point * follows from the hypothesis on e. Point ** follows by Corol- 
lary 64. ii. 

Instead, (16) is contained in 



(f) G (j) T (e), li G /i(e) 
M(fe((//0(nes)).7r))(m) = f 

G r | res (e), n G 71(e) 
M(k((LKp(res)).Tr))(m) = v 



\ res */t G S T | 

which, by Corollary 65, is 

U{WU% W) (e) I 7T G e, /c(vr) < r(res), M(/c(vr))(m) = z/} . 



put_field 

ar|_ r<!S (put-field TiT ,(7 r (ei))(7 T (e 2 ))) 
= a T |_ rcs (put_field T)T ,({cri G S r | a T (ai) C d}) 
({fj 2 G S T / I a T '(o-2) C e 2 })) 
/ f ^1 G S T 

02 1 -res * ^2 [/l->//2(Z).7n» 



= a 



T 



/> 2 *//2 G S T / 



,,'i*Mi) ^ ei 
a T '(02* M2) ^ e 2 
(/ = 0i(res)) 7^ null 

Ml =/ ^2 



(17) 



which is if there is no tt G ei such that k(ir) < r(res), since in such 
a case the condition (f>\(res) 7^ mill cannot be satisfied. Otherwise, 
note that the operation putJield copies the value of foires), which is 
obviously reachable from 2 , inside a field. Since a r '(0 2 * H2) Q 62, we 
conclude that an upper bound of (17) is €2- Then 5 T \_ res (e2) is also an 
upper bound of (17) (Corollary 66). We show that it is also a lower 
bound. Let tt\ G e\ be such that k{ji\) < r(this) (possible for PI) and 
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tt 2 G ei be such that k(ir 2 ) < r(res) (possible for the hypothesis on ei). 
Let oi = 7ri*3f(F(A;(7ri))) and 02 = ^2*9(^(^(^2))). We obtain the 
following lower bound of (17) by choosing special cases for 0i, p±, 02 
and fi2- 



a 



02 1 -res*P2 [h ^ P-2 (h ) -7T * 

*H2{h)4[f ^ 02 (res)]] 



/ f 01 =9(r) [this 1— res 1-^/2] 

02 G r '(e 2 ), M2 G /x(e 2 ) 

02*/4 G S r ' 

Ml = H2 = P 2 [h >-> 01, Z 2 o 2 ] 
h,l 2 G hoc \ dom(// 2 ), Zi 7^ Z 2 

(18) 

Since Z2 is not used in 02 nor in /x 2 , (18) becomes 



V 



/ 



a, 



fa\-res *^2 G S T | 



02 G r '(e 2 ) 
^2 G 7Z(e 2 ) 



(Definition 61) = a T |_ res ({0*/i G £ T |_ res | G r |_ rcs (e 2 ), p G /i(e 2 )}) 
(Lemma 63) = ^|_ TCS (e 2 ) • 



U 

By additivity (Proposition 31), the best approximation of U over p(S T ) 
is U over p(LT). 



B. Proofs of Propositions 46, 47, 50 and 56 in Section 5. 

Proposition 46. The abstract garbage collector £ T is an Ico. 

Proof. By Definition 44, the map £ r is reductive and monotonic. 
For idempotency, we have £ T £ T (±) = _L = £ r (-L). Let s G Framef n x 
Memory £n . If this G dom(r) and 0(this) = then £ T £ r (s) = _L = 
Cr(-L)- Otherwise, we prove that p T £.r(s) = Pt(s), which entails the 
thesis by Definition 44. We have 

Ar£r(0*M) = Pr(0*U{/i| dom ( F ( fe(7r /))) | 7r' G p T (<f>*fj,)}) 

= {it G <j)(y) I u G dom(r), t(v) G /C} U 

1 1 f _ p „ m tt' G PA**!*), /Gdom(F(fc(7rO)) 1 
U P WJ F(k(ir'))(f) G /C J 

= Pt(4>*p)- 

□ 



main.tex; 1/02/2008; 21:23; p. 46 



47 

To prove Proposition 47, we need some preliminary definitions and 
results. 

Let s G Frame 61 *' x Memory . We define frames and memories 
which use all possible creation points allowed by s. 

Definition 69 Let <j> G Frame 6 , 11 , fi G Memory 611 and I : U i-» Loc 6e 
one-to-one. We define 



= < 



<^> G Frame 7 



fi = < n G Memory 



for every v G dom(r) 
if t(v) = int then (f>"(v) = 
if t(v) G /C and = £/ien </> b (n) = mtZZ 
ifr(v) G /C and 0(n) / £/ien <^> b (n) G l<j){v) 

dom(^ b ) = rng(Z), /^(/(vr)) = vr*^ 
with (j)^ G Tip^) /or evert/ 7r G II 



Lemma 70 is needed in the proof of Lemma 71. 

Lemma 70 Let 4> G Frame 611 , fi G Memory 611 , 
Then £ r (</> b */z b ) C <p. 

Proof. For every v G dom(r) we have 



G 4> T and // G fi. 



* if t(v) = int 

{{^4>\v)).tt} if t(v) G /C and ${v) G Loc 

otherwise 



(Definition 69) 



* if t(v) = int 

{^ b (/(7r')).vr} if t(v) G /C, (f> b (v) G Loc, it' G 0(f) 
otherwise 

* if t(v) = int 

{vr'} if t{v) G K, ${v) G Xoc, tt' G <j){v) 

otherwise 

c 4>{v) . 



□ 



We prove now some properties of the frames and memories of Definition 
69. 

Lemma 71 Let <fi G Frame 611 , fi G Memory 611 , $ G lp T and ^ G 71. 
Then 
i) ^ b */i b : t; 
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ii) (jy */r G S r if and only i/this g" dom(r) or 0(this) 7^ 0; 
iisj If 4>" -k fj!' G S T £/ien a T (4> b * p)) C 

Proof. 

i) Condition 1 of Definition f4 holds since rng((/> b ) n Loc C rng(Z) = 
dom( / u tl ). Moreover, if v G dom(0 b ) and </> b (v) G £oc then (ft{v) G 
l(j){v). Thus there exists 7r G </>(v) with (p b $ (v)) .tt = it and such 
that fe((//0 b (t> )).7r) = fc(7r) < t(i>). Condition 2 holds since if 
o G rng(^ b ) then o.<p = 4>„ for some tt G II. Since ^ G ~p-F(k{K))i 
reasoning as above we have that ^ is weakly F(£:(7r))-correct u>.r.£. 
^ b . Then <^*// : r. 

ii) By point i, we know that <^> b * /U b : r. From Definition 16, we have 
$ * yiP G S T if and only if this dom(r) or b (this) 7^ raiZL By 
Definition 69, the latter case holds if and only if </>(this) / 0. 

iii) By Definition 41 we have 

ar^*^) =£ T (0 b * / U b )*£-({^*/i b I OG O T (0 b */i b )}) 

(Lemma 70) C ^★e F ({^* / u b | o G O r (^ b ★ / t/ b )}) . 

By Definition 69, for every o G O r (0 b * / u b ) we have o.(j) G ~pF(k(Tr)) 
and hence o.</> C with <p' G /!-. Then we have e-(o.4>* p b ) C 
£t(4>' * P^), which by Lemma 70 is contained in p. 

□ 

Lemma 72 states that, given an abstract state s, if a creation point tt 
belongs to p l (s) then there is a concrete state a from those in Defini- 
tion 69 and an object in O l (o~) created in tt, and vice versa. In other 
words, p l (s) collects all and only the creation points of the objects 
which can ever be reached in a concrete state approximated by s. 

Lemma 72 Let <j) G Framef n be such that if this G dom(r) then 
^(this) / 0, /1 £ Memory £n and i G N. Then tt G p l T (4>* p) if and 
only if there exist $ G 4> T and $ G JL such that tt = o.ir for a suitable 
oGOM0 b */i b ). 

Proof. We proceed by induction on i. If i = the result holds since 
p®((f>*p) = and for every (p b G 4> T and p G ~p we have O°(0 b *^ b ) = 
0. Assume that it holds for a given i e N. We have tt G p 1 ^ 1 ((f) * p) 
if and only if tt G 4>(v) with v G dom(r) (and hence t(v) G /C) or 
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71 G PF(fc(7r))(^ldom(F(fc(7r')))*^) with v G dom(r) and tt' G (p(v) (and 
hence t(v) G /C). The first case holds if and only if o.tt = tt with 
o = ^(^(v), v G dom(r) and <j^(v) G Loc for suitable </> b G r and 
/i b G /Z (Definition 69). By inductive hypothesis, the second case holds 
if and only if there exist <j)\ G 4>F{k{-K')) an d 1^ & ~P such that tt = o.tt 
for a suitable o G O^iy )) (</>i *//), if and only if (Definition 69) there 

exist $ G (j) T and /x b G Ji such that 7r = o.ir, v G dom(r), b (t>) G Loc, 
o' = ^(^(v) and o G O l F ^ ol ^(o'.^*//). Together, the first or the 

second case hold if and only if there exist (f> b G 4> T and fi G Ji such that 
o G C^ +1 (0 b *^ b ) and o.vr = vr (Definition 21). □ 

Lemma 73 says that the concrete states constructed through the 
frames and memories of Definition 69 represent a worst-case w. r. t. the 
set of creation points of the objects reachable in every concrete state. 

Lemma 73 Let <f>*n G S r , i G N and (f)# * n* = af n (4> * fi) . If o G 
% T (4>-kn) then there exist $ G and // G [i# such that d G 

Ol((p b * and o'.ir = o.ir. 

Proof. We proceed by induction on i. We have O°(0*/i) = and 
the result holds for i = 0. Assume that it holds for a given z G N. Let 
o G 0* +1 (^>* / u). We have o = [Mp(v) with w G dom(r) and <fi(v) G Loc 
or o G Op( k ( , n ^(o' .(p-k fi) with f G dom(r), </>(«) G Loc and o' = ^4>(v). 

In the first case, we have o.ir G <f>#(v) and there exist c/> b G 0# r and 
/x b G /x# such that $ $ (v) .tt = tt and the thesis follows by letting d = 
^(^{v). In the second case, by inductive hypothesis we know that there 
exist <j)\ G c/)#F(k(o'.n)) and ^ G /^ # such that o" G 0^ (fe(o , .^(^i */i b ), 
o".7r = o.7r, v G dom(r), 0(w) G Loc and o' = fi(j)(v) if and only if 
(Definitions 69 and 21) there exist b G </># T and /i b G /i# such that 
o" G O; +1 (0 b */i b ) and o".vr = o.vr. ' □ 

Lemma 74 gives an explicit definition of the abstraction of the set 
of states constructed from the frames and memories of Definition 69. 

Lemma 74 Let <f> G Frame 871 and fi G Memory 811 . Then 

af*({0 b */i k G S T | <p b G J T and fi b G /Z» = £ T (<£*/i) . 

Proof. Let A r = af^({0 b */i b G S r | $ G r and /i b G Ji}). If 
this G dom(r) and </>(this) = 0, then A T = _L because of Lemma 71. ii. 
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Moreover, £, T {(j>* n) = _L (Definition 44). Otherwise, by Definition 69 
we have 

(J g n j J VI oe T (^*/i b ) 

= ^*er({?*/i b | 0' G J^F(k(o.n)), ^ € T , ^ G 71, o G O T (0 b *V)}) 
= (/>*er({^*fj,' I <!>' €~P'F{k{o.Tt))i ^G^r. n'^tfi, OGO T (^^)}) 

(19) 

since e- does not depend on the frames of the objects in memory 
(Definition 37). By Lemma 72, (19) is equal to 

4>-ke-{{(j)'-k^ | ^' G 7i F ( fc(7r )), ju'ep, 7T G p r (0*^)})} 

= 0*U{//|dom(F(fc(7r))) I 7T G p T (0*/i)} U 9f(r) 

= £r(</>*^) • 

□ 



We now prove Proposition 47. To do this, we will use the set of 
states constructed from the frames and memories in Definition 69 to 
show that a sn is onto. 



Proposition 47. Let £ T be the abstract garbage collector of Defini- 
tion 44. Then fp(£ T ) = mg(a £ T n ). 

Proof. Let X C £ T . By Proposition 46, Lemmas 73 and 74 and 
Definition 41, we have 



a £ T n {X) = \J{o$ k (<t) \o-EX} 



£11 1 



C U a 



£K 



G S r 



</> b G of>)^ T 
M b G o$*{&).n 
aeX 
£TZ, 



= U{S T a*"(a) | a G X} C f rQ J R W • 

The converse inclusion holds since £ r is reductive (Proposition 46) and, 
hence af^(X) G fp(£ T ). Conversely, let s G fp(£ T ) and X = {(p b * ^ G 
S r | b G </> r , /i b G 7i} . By Lemma 74 and since s G fp(£ T )> we have 

of J (X)=^ T ( S )=5. 

The proof of Proposition 50 requires some preliminary results. 

Corollary 75 states that if we know that the approximation of a set 
of concrete states S is some (/>*[i, then we can conclude that a better 
approximation of S is £(</>*//). In other words, garbage is not used in 
the approximation. 
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Corollary 75 Let S C £ T , <f> e Frame 811 and fi G Memory 811 . Then 
a T (S) C £ T ((f)-k[x) if and only if a T (S) C 0*^. 

Proof. Assume that a T (S) C £ T (0*yu). By reductivity (Proposi- 
tion 46) we have a r (5) C Conversely, assume that av(S') C 
By Proposition 47 and monotonicity (Proposition 46) we have 
a T (S)=Z T a T (S)CZ T (<f>*ri. □ 

The following lemma will be used in the proof of Proposition 50. It 
states that the approximation of a variable depends from the concrete 
value of that variable only, and that the approximation of a memory 
is the same if the locations in the frame do not change (although they 
may be bound to different variables). 

Lemma 76 Let 4>'*fi€. S T / and <f>" * fi G S r » . Then 

i) if 4>'( v ) = 4>"( v ) f or eac h v ^ dom(r') n dom(r"), then we have 
(a T >(<l>'*fi)).(f)(v) = (a Tl/ ((f>"*fi)).(f)(v); 

ii) if rng(0') n Loc = rng(0") n Loc, then we have (a T /((f)' ★ n)).fi = 
(a T rr((p" * 

Proof. From Definition 41. □ 

Lemma 77 says that if we consider all the concrete states approxi- 
mated by some (f>^ * fjfl and we restrict their frames, the resulting set 
of states is approximated by In other words, the operation 

£ garbage collects all objects that, because of the restriction, are no 
longer reachable. 

Lemma 77 Let vs C dom(r) and <p* * /i # G £U T . Then 



a r\- vs i P\-vs*H 



(j)*fj, G S T 



}) =£tU s (^ # Us*^ # ) • 



Proof. We have 

a T|_„ s ({0l-t»*A t I 0*/" G s r and a T ((/>*(i) C (p# * fj#}) 

= a T\- vs {{<t>\-vs*li G £r|_„ s | <£*/x G S r and a T (</>*/x) C cf)**fi*}) , 

(20) 

since if <^*/x G S T then G £ T i_„ s - We have that, if a r (</>*/x) C 

then ct T i ( (0|— y S */•*) <j>^\-vs* ■ Hence (20) is contained 
in <j)#\- vs * n#. By Corollary 75, the set (20) is also contained in the 
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<j) G (p# T , fi£fi# 



(21) 



set ^ T |_ ra ((^#|_„ s */i#). But also the converse inclusion holds, since in 
(20) we can restrict the choice of <p~kyL G S T , so that (20) contains 

a r\- vs (\<l>\-va*fi G S T |. 

By points ii and hi of Lemma 62, (21) is equal to 

aT|_„({^l-t«*A» G ^rl-^ I G # r, A 4 G A* # }) 
(Dehnition 69) = ct T \_ vs ^|</>*/U G £ r | 
(Lemma 74) = £ T i_ vs {(f>#\- vs * n*) . 



<f>€ {^\- vs ) Tl _ 



□ 



We are now ready to prove the correctness and optimality of the 
abstract operations in Figure 10. 

Proposition 50. The operations in Figure 10 are the optimal counter- 
parts induced by a £7i of the operations in Figure 8 and o/U. 

Proof. The strictness of the abstract operations (except U) follows 
by reasoning as for the proof of strictness in Proposition 32. Note that 
7t(-L) = for all r G TypEnv since, by Dehnition 41, 

7 T (_L) = {er G £ T | a T {a) C _L} = {a G S T | a T {o) = _L} = 0. 

Hence return is also strict on both arguments. 

We will use the corresponding versions of the properties P2 and P3 
already used in the proof of Proposition 32. They are 

P2 If (fi-kfi G £1Z T then there exists a G S r such that a T (a) C (p* /j,. 

P3 a T j T is the identity map. 

P2 holds since </>(this) / so that there exists tt G </>(this) and 
hence, letting a = [this i— > /]★[/ i— > 7r*9f(.F(fc(7r)))] for some I G Xoc, 
we have a G S T . Moreover, a T (cr) = ^[this i— > {tt}]*/^ C <^*//, 
where and /U 1 - are the least elements of Framef 11 and Memory 571 , 
respectively. By Proposition 49, a T is a Galois insertion and hence, P3 
holds. 

Most cases of the proof are similar to the corresponding cases in 
the proof of Proposition 32, provided we use Lemma 76 instead of 
Lemma 67, Lemma 77 instead of Lemma 68, Dehnition 44 instead of 
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Definition 25, and we modify the syntax of the abstract elements. As 
an example, consider 

getJnt, get_null, get_var 

OV [res^ tnt] (getJ < ( 7r ((/)# ★ /i # ) ) ) 



= a 



t resum 



(*) = a T ({(/>' * fjf \<j>'*n' € 7r(0 # */U # )}).(/> [res i-> *]* 

*a T ({(f)' * fi' \<f/*n'e 7 T ((/> # */i # )})./i 

(P3) = c/> # [res i-> *]*a* # . 

where point * follows by Lemma 76 since res g" dom(r) and r[res i— > 
mi] (res) = int. The proof is similar for get_null and get_var. 

Therefore, we only show the cases which differ significantly from the 
corresponding case in Proposition 32. 

is_null 

Let A = a T[res ^ int] ('\s_nu\\ T (j T ((f>* * /i # ))). We have 

A = a T[res ^ mt] ('\s.nu\\ T ({a G S r | a T {a) C <p* -k p*})) 

= <Xr[resi->mt]({<f>[res ^l]*/i|</>*/i<E£ T and a T ((f>-kfi) C *//#}) . 
By Lemma 76. i we have 

A</> = 4>^[res i — ^ *] 
(Definition 44) = £ T [ res ^mi](</> # [res h-> *]*/i # ) . 
Moreover, by Lemma 76. ii we have 

A ^ = ({*!-«.*" | t*0^c }) 

(Lemma 77) = £ r |_ res (</> # |_ res */i # )./i 
(Definition 44) = £ r[resMin i] (c/> # [res i-> *]* A i # ).^ . 



put_var 

Let ^ = a r |_ res (put_var r (7 T (0 # ★/(/#))). We have 
A = a r |_ res (put_var r ({cr € S r | a r (cr) C 4>* * /i # })) 



0[w i ^ 0(res)]|_ res */i 



> * A*) c *\i 



# 
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By Lemma 76. i we have 

A.(p = (p*[v h-> (j)*{res)]\- res 
(Definition 44) = £ T |_ rcs (0 # [v i-> (p*(res)]\- res *n*)4 ■ 
Moreover, since rng(0[f ^ cft(res)] |_ res ) = rng((/>|_ 1) ), by Lemma 76. ii 



we have 



A.fj, = a T \_ v (l<f>\- v *n 



(Lemma 77) = C T |_ (^ # l-t> *A* # )-A* 
(Definition 44) = ^|_ res (0 # [^ -> <A # ( 

res JJ I— res 



call 



Let p = P(i/)|_ out . Recall that dom(p) = . . . , i n , this}. Let n 
t\v\ i— > ti, . . . ,v n i— > i ra , res i— > this] and 0* = i— > ti, . . . , v n i 

i n , res i— > this]. We have 

a p (call^'-^(7 r (0#*^#))) 

= a p (call^ , ' 1 --' t *"({<7 G S r | a T (<r) C 



€ £ T and 
a T ((j>*fi) C. <j>#*fj# 



(Lemma 76) = ap({0|p*^ | 4>*n € S T , and a r , (</> * /x) C (f)f -k ^}) 
(Lemma 77) = £ p (</>f | P *^ # ) 











> 0(«i), 






< 
















'-ra 1 










this t 


-> 0(res) 





this 



4>*{vi), 



res 



\ 



# 



new 



Let k = k(n) and A = a T [ res ^ K ] (new^(7 T (</># *//#))). Since res ^ 
dom(r) we have 

-4 = a r[res ^ K ](ne\<({cr e S r | a r (cr) C (f>* * /i # })) 



= a 



</>[res i— > Z] ★ 
i ^ 7t*3(F(k))] 



I € Xoc \ dom(^) 
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By Lemma 76. i we have 

A.cj) = a T ({(f)*[i | (p-kfi G S r and a r (0*u) C 0* ★ / u*}).^[res i— > {7r}] 

= a T r y T (4>^ * n#).(j)[res i— > {-7r}] 
(P3) = # [res i-» {tt}] . 

The newly created object o = 7t*9(.F(k)) has its fields bound to mtZZ: 
o.(f)(f) = 9(-F(k))(/) E {0, nit//} for every / € dom(o.(/>). Hence it does 
not contribute to the memory component A.y and by Lemma 76. ii we 
have 

A.fi = a T ({(j)-k n | (f>*n G S T and a T {4>-k y) C 0* * 

= a T -f T ((j)*-kfj*).y 
(P3) = n # . 



return 



Let t' = r[res i— > P(^)(out)], r" = -P(^)| ut and L = rng(0i[_ res )nXoc. 

a T /(retu<( 7T (^f ★Aif))(7r»W2 t */4))) 
= cv(return^({cTi G S r | a T (oi) C 4>f*nf}) 



h\-res[res i ^ </> 2 (out)]*/i 2 



Ot{<I>1* Hi) C (j>f*(jf 
a T "(4>2 *H2) C 4>f*/j,f 

Hi =L M2 



Cond 



I 



(*) = a T |_ rca ({0i|-res*M2 I Cond}) Uq t »({0 2 *M2 I Cond}) [out i-> res] 



where point * follows by Definition 41. Since a r »(^ * // 2 ) f= ^ 2 *" 2 j 
we have 5 C <^[out res]* /it*. But the converse inclusion holds 
also, since by Lemma 71. hi we have 



</>2*«2 



6i€^ T> mi e„f n [out 

^2 e 0* T ,„ ^2 e /"J J / 



res 
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which by Lemma 74 is equal to 4>f [out i— > res] * /Li* . Note that the 
condition /ii =l H2 is satisfied by Definition 69. Since dom(r") = 
{out}, we conclude that B = [res 0*(out)] */x| t . 
With regard to A, we have 



A 2 a T \_ res I 0i|_ res * / u 2 



Cond, 0i G 4>f T , Hi G fif 
4> 2 = 3(r"), € 



,# 



(Lemma 71) = a r |_ rcs {0i|_ res */i 2 | 01 G 0f r , G M 1 "} 



(Lemma 74) = £ T , (0f |_ res * // 1 ) 



(22) 



Moreover, for every v G dom(r|_ res ) such that r(v) G /C, we have 



A. (f){v) = {o.7T I 0i I — r-es (v) G Xoc, O = U 2 01 1 -res (v) , Cond} 

(since /xi = L /U 2 ) = {o.7r | 0i|_ res (i;) G Xoc, o = ui0i|_ res (r;), Cond} 

01 (i>) G Loc, 0i*/xi G S r 



C |(ui0i(w)).vr 

= K 7r (0f *nf)).<Kv) 
(Pi) = ^f( v ) . 



a r (0i*/ii) C 4>f*nf 



We conclude that A0 C 0^|_ res . Moreover, we have A.fi C /i T . Hence 
^4 C 0# \-rv S *H T and, by Corollary 75, A C £ T |_ rcs (0f |_ res *,u T ). To- 
gether with (22), this proves that A = £ T |_ rM (0*j_ res ★ / u T ). 

getJield 

Let t' = r[res i— > (Ft (res ))(/)] and A = ov(get_field£ ( 7r (0 # */i # ))). 
We have 



A = a T > (getJield^ ({0*/U G S r | a r (0*/i) C # *//*})) 

(res) 7^ nul/ 




res i— > (/i0(res)).0(/)] *// 



a T (0 * ii) C 0# * //# 



which is _L when 0*(res) = 0, since in such a case the condition 
0(res) nw// cannot be satisfied. Assume then that we have 0*(res) ^ 
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A 5 ol t i < (j>[res •—►/']* A* 



(Definition 69) = a. 




<p(res) 

a T ((f)-kfi) C (f)#*[i# 

4> g 0# T , fie^ J / 



</>[res i— > /'] */x 

G <A # T , 

(Lemma 71) = a r /({^>[nes i— > f']*n \ 4> G A* £ A 1 *}) 

(Definition 69) = ev I e 4>#[res i-> Ai(/)] r /j A ^ e M*}) 
(Lemma 74) = # [res i-> //(/)] *a** • 

We prove that the converse inclusion also holds. Let x = (ficf)(res)) -4>(f) ■ 
If x G Loc, the object /j,(x) is reachable by construction from <j)(res). 
Hence we have 

A. fx C av ({</>*// | cf)*[i G E T , 4>{res) ^ null, a T (4>*fi) C 0**^*}).^ 
C a r ({^>*/i | G S T , a T ((f)*[x) C 0* ★ fi^}).fi 

= a T ^ T ((f)* *H#).jJL 

(P3) = A* # • 

If (f>(res) mi// then o = /j,(f)(res) G O r ((j)-kfi) and e-(o.^>*/i) C 
(Definition 41). Hence, if (fMp(res)).(f)(f) ^ null then we have that 
((lMf)(res)).(f)(f)).iT G //#(/). By Lemma 76 we conclude that 



lookup 

Let A = a r (lookup™^(7 r (0 # *Ai # )))- We have 



A = a T (lookup^ I "({^*/Lt G S r | a T (^*/i) C # *Ai # })) 

a T (c/)-k n) C <f)# -k n# 
4>(res) null, M ((fibres)). 7r)(m) = ^ 



= a T 



>* /i G S T 



We have A = _L if there is no tt 6 <ff^(res) such that M(ir)(m) = u, 
because in such a case the condition M((fj,(f)(res)).7r)(m) = v cannot 
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be satisfied. Otherwise we have 

/ f a T ((f>-kfi) C (ft#-kfi# 

>*[i G £ 



AD a 



(Definition 44) = a 



(Lemma 71.iii) = 
(Definition 69) = a T 




4>{res) ni/H 

M(k((iMp(res)).Tr))(m) = v 
4> G </> # r , 

M(k((ii(t>(res)).ir))(m) = v 
<p G c/> # r , // G //# 
M(fe((At</»(res)).7r))(m) = i/ 

G </> # r , // G A* # 
(//0(nes)).7r G 5, 
G c/> # r , A* G A 4 * 



where 5 = {-7r G <p#(res) \ M{k{ir)){m) = is}. By Definition 69 we have 



-4 ^ a T ({(p*fjL G S r | G 0#[res h-> 5] r , /i G /i#}) 
(Lemma 74) = ^ r (0 # [res i-> S]-kfi*) . 

We prove that also the converse inclusion holds. Note that if a T (cj)-k n) C 
<j)#[res i— > S]* n# and 4>(res) ^ null then M{k{{ix(j){res)).iT)){m) = v. 
Hence we have 



A C a- 



>* a« G S 7 



a T ((f)~k jj) C 0# [res i— > 5] * ax* , 
4>(res) / nit// 



(Definition 41) = av G I £*t(0*aO ^ # [res h-> S] *//#}) 
= ar7r(<^*[^es i-> 5]* a**) 
(P3) = # [res ^ . 



putJield 

Let t" = r|_ res and A = a T »(put_field TiT ,(7 r (0f *//f )){j T '(4>2 ★ a**)))- 
We have 

^4 = a r //(put_field T T /({cri e S T | a T (<7i) C <f>f *nf }) 
({a 2 G £ T , | q t /((72) C <l>t*t4})) 



( 



fe\-res*V2[l !->■ //2(0- 7r * 

*Vi{l)-4>[f ^ 02(res)]] 



G E T , 
^2 * A*2 G S T / 
a T (0i*//i) C(f>T*fiT 

a r /(^2*M2) Q<f>f*nf 
(I = 4>i(res)) ^ nwZZ, 

/"l =z 
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which is _L if <pf(res) = 0, since in such a case the condition 0i(res) ^ 
null cannot be satisfied. Assume then that 4>f(res) / 0. If no creation 



point in 0^ (res) occurs in 02 |_ res */U2 t nen A*2(Z) ^ 0T"(02|-res */^2)- 
Hence the update of the content of I does not contribute to a T " (Defi- 
nition 41) and we have 



A 



( 



,*^2 



01 G S r , 02*^2 G S T / "1 \ 
a T (0i*^i) C 0f *//f 

II 11 

a T '(<h* A*2) ^ ^2 *A*2 
(/ = 0i(res)) ^ nuZZ, iii =j ^ 2 J / 



Let 4>2*^2 G S T / be such that cv(02*M2) ^ 4*4- By P2, we 
can always find 0i*/iti € S r such that a r (0i*/ii) C 4*4- By the 
hypothesis 0^ (res) / we can assume that (Z = 0i(res)) / ra/ZZ. 
If /ii =; /i2 does not hold, we can assume that Z ^ dom(/i2) (up to 
renaming). Let o = /Ui(Z). We define /i 2 = /^[Z ► o.7r*Qf(fc(o.7r))]. We 
have 02 * fi' 2 G S r / and, since the extra location Z does not contribute 
to a T >, we have a T / (02 * M2) = a: T '(02*M 2 ) and cvOM-rea *A*2) = 
a r "(02|— res *// 2 ). Moreover, //i = 2 /i 2 holds by construction. We con- 
clude that the constraints on 0i * fii and the constraint \i\ =\ /i 2 do 
not contribute to A, and we have 



A = a T » ( <^ 02|-res*At2 



2 */i2 g S T /, 

CV(02*/X 2 ) C 0#*//# 



(Corollary 75) = £ T »(4\-res *fJ%) . 



Otherwise, since the objects reachable from 02(res) belong to the 
set O T /(02 */tx 2 ), by Lemma 76 we have 



A C a T 



C0f| 



^ 2 |-res*^2[Z 
★ /i 2 (Z).0[/ H 



2 (res)]] 



02*/U 2 G S T /, 

a r /(0 2 */x 2 ) C 0| 
Z G dom(/x 2 ), 
/ G dom(F(A;( / U2(Z).vr))) 



**4 



\ 



*4\f 



4(f) U 4 (res) 



By Corollary 75 we conclude that A C £ T "(0 2 
6#(res)]). 



# 



#1 



We prove the converse inclusion now. Since we assume that there is 
a 7r G 0*(res) which occurs in 0*|_ res */if\ then we can find 0i*/xi G 
S r with a r (0i*/ii) C an d 02* ^2 G S r / with a r ' (02 * /U 2 ) C 

02 such that 0i(res) = Z, fj,\(l).ir = it and /ii =; /i2- Note that 
4> 2 (res) is only constrained by a T < (02 * /tx 2 ) C 4*4 that 02( r es) 
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can range over all <fttt(res). Moreover, by the existence of ir we can 
assume that I is reachable in 02*/U2 that is ^(0 G T n{4>2\- r es *M2)- 
We conclude that 

A.fi(f) 2 2 # (re S ). (23) 

Moreover, given again G S T with a T (0i*/xi) C 0^*//^ and 

02*^2 G S T / with a T i (fo * fi2) ^ 02 */^2 and (7 = 0i(res)) 7^ mi//, the 
condition /ii =/ /x 2 can be made true by renaming / into /' in $2*^2 
(if / occurs there) and extending ^2 with an unreachable / bound to 
^i(/)- We conclude that we can always find 0i ★ hi and 02 * ^2 such that 
a r (0i*^i) C (pf-kfif, a T /(02*^2) C (pf-kfif, (I = cf)i(res)) / mi//, 
A*i =1 ^2 and / is not reachable from 4>2* ^2'- M 2 (/) O T »(0 2 |-res *A*2)- 
As a consequence and by using P2, we have 



A D a T « < 02[-res*^2 



2 */i 2 G S T /, 

a r /(02* / U 2 ) Q4>2 

(Corollary 75) = Cr"(0* l-rw ) ■ ( 24 ) 
By merging (23) and (24) we conclude that 

A 2 &,(4>t\-res*l4) u (0±*M/ ^ 0* (res)]) (25) 

where 0j_ maps all variables to and n± maps all fields to 0. We 
still have to prove that in the equation above we can move (/^(res) 
inside the garbage collector £ T ». But this is true since by Figure 7 we 
know that / is a field of F(r(res)) so that / is a field of the objects 

_LL 

created at the creation point it G (jr[{res) which we assume to occur in 
<4\-res~ k 4 ■ Hence £ r » cannot garbage collect the set <pf(res) bound 
to /. In conclusion, (25) becomes 

a d ^,,{4^* 4\f ' ^ 4(f) u 4( res )})- 



U 

By additivity (Proposition 49), the best approximation of U over p(S T ) 
is (pointwise) U over £1Z. 

The proof of Proposition 56 needs the following result that 9 T (e) is 
an element of £1Z T and approximates exactly the same concrete states 
as e. 

Lemma 78 Let a G S T and e G £ T . Then 9 T (e) G £1Z T . Moreover, 
ocf{o~) C e if and only if af n (a) C 9 T (e). 
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Proof. We have 9 T (e) G £1Z T by idempotency of £ T (Proposition 46) 
and Definition 48. 

Let af(cr) C e and v G dom(r). If t{v) = in£, then e r (cr)(f) = 
* = $ T (e)(v). If t(v) G /C, then every tt G e r (cj)(f) is such that 
k(ir) < t(v) (Definitions 37 and 14). Moreover, tt = /i(/).7r for some 
/ G rng(0) n hoc (Definition 37). Hence tt G af(a) (Definition 22), 
and 7T G e. By Definition 54 we conclude that tt G $ r (e)(t>). Hence 
af^(cr).(/> = e T (a) C i9 r (e). Let now / G dom(r). If r(/) = in£, then 
e f ({o^*H o G O t (ct)})(/) = * = *r(e)(/). If f(/) G /C, then every 
7r G £^({o.</>*/i | o G O r (cr)})(/) is such that k(ir) < r(/) (Defini- 
tions 37 and 14). Moreover, tt = fi(l).TT for some I G rng(o.0) n Loc 
with o G T (o~) (Definition 37). Hence tt G oq.{a) (Definition 22), 
and tt G e. By Definition 54 we conclude that 7r G i?^(e)(/). Hence 
a~ R (a).fj, = Er({o.(f)-k fx | o G O r (cr)}) C ??y(e). In conclusion, we have 
ay^{a) C i? r (e) *$^(e). Since £ T is monotonic (Proposition 46) and by 
Proposition 47, we have afV) C £ T (?? T (e) *?? ? (e)) = 9 T (e). 

Conversely, let a £ T n (a) C T (e). Let vr G a^(cr). By Definition 22 
we have tt = o.tt with o G O r (cr). By Definition 41 we have tt G 
af n (a).(f)(v) for some i> G dom(r) or tt G a^. n (a).fi{f) for some / G 
dom(r), and hence tt G 9 T (e).(f)(v), in the first case, or tt G r (e)./x(/), 
in the second case. In both cases, by Definition 54 we have tt G e. Thus 
of (<r) C e. □ 

We can now prove that every element of £ represents the same set 
of concrete states as an element of £ 1Z. 

Proposition 56. Let j!f and j!f n be the concretisation maps induced 
by the abstraction maps of Definitions 22 and 41, respectively. Then 

^(£r)^l™(£K T ). ' 

Proof. By Lemma 78, for any e G £ T , we have 

7^(e) = {aGS r \<4(<r)Qe} 

= {a G S r | a £ T n (a) C 6 T {e)} = j £ T n (9 T (e)). 

Since this holds for all e G £ T , we have the thesis. □ 
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